Unidentified threat actors hacked the US Census Bureau “vital” servers and attempted to plant a backdoor onto servers, albeit unsuccessfully, the US Office of Inspector General (OIG) recent report revealed.
The attack took place in January 2020 and targeted the agency’s remote-access servers using a publicly available exploit for a zero-day vulnerability. Census Bureau officials said that these servers were used to provide remote access to its internal networks to its personnel, and did not provide access to 2020 decennial census networks.
The attackers were able to modify user account data on the systems in order to perform remote code execution, but their attempt to maintain access to the networks via a backdoor had failed.
“During the attack on the remote-access servers, the Bureau's firewalls blocked the attacker's attempts to communicate from the remote-access servers to its command and control infrastructure as early as January 13, 2020,” OIG said.
“However, the Bureau was not aware that the servers had been compromised until January 28, 2020, more than 2 weeks later.”
While the attack was blocked and did not cause much damage, OIG said that the Bureau should improve its incident response process. Specifically, the agency failed to mitigate the critical vulnerability exploited in the attack, leaving its servers vulnerable. Also, it did not discover and reported the incident in a timely manner, and did not maintain sufficient system logs, which hindered the investigation.
The OIG’s report was redacted to remove all mentions of the exploited flaw and the name of the software vendor, however, some clues suggest that the vulnerability in question is CVE-2019-19781 – a critical vulnerability affecting Citrix ADC and Gateway, which allows a remote attacker to execute arbitrary code on the vulnerable servers and get access to an organization’s networks.