The FBI and CISA reported in a joint fact sheet that a hacker group hacked one of the Federal Civilian Executive Branch (FCEB) agencies that failed to install a patch for Log4Shell, a vulnerability that was patched nearly a year ago. Notably, back in April this year, the FBI warned about the importance of installing updates that closed such vulnerabilities.
CISA did not name the hacked agency FCEB, which includes organisations such as the Department of Homeland Security, the Treasury Department and the Federal Trade Commission. But some details of the incident have emerged.
CISA said it first noticed suspected malicious activity on the unnamed federal agency's network in April, when agency staff were performing a retrospective analysis using the government's Einstein intrusion detection system. But the problem was dealt with in detail over the summer, from May to July. The investigation revealed that hackers had exploited Log4Shell, a critical zero-day vulnerability in the ubiquitous open-source logging software Log4j.
Hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell remote code execution vulnerability allowed access to the organisation's network with administrator and system-level privileges. The hackers were then able to install the XMRig miner, an open-source crypto-mining software that hackers commonly use to mine virtual currency on compromised computers. This miner mined the cryptocurrency monero (XMR). The malware was uploaded to the agency's server as an archive file called file.zip.
In addition to the miner, the hackers installed Mimikatz, an open-source application used to steal credentials and create a new domain administrator account on the agency's servers. Using the new account, the hackers disabled Windows Defender and added Ngrok proxies to multiple hosts to preserve future access.
The US regulator notes that the attackers' ultimate motive remains unclear. But it says all organizations that have not already patched their VMware systems by closing the Log4Shell vulnerability should assume they have already been compromised, and should start looking for malicious activity on their networks.