[TheRecord] Hackers breached US Census Bureau in January 2020 via Citrix vulnerability

Unidentified hackers breached US Census Bureau servers in January 2020 by abusing a public exploit for a major vulnerability in the agency’s remote-access servers, a US government watchdog said on Monday.

Census Bureau officials said the hacked servers were not connected to the 2020 Decennial Census networks, and the intruders did not have the opportunity to interact with census results.

Instead, the hackers breached only gained access to servers the agency had been using to provide access to its internal network for its remote workforce, the Office of Inspector General said in a report this week.

The exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution. However, the attacker’s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.

Office of Inspector General, OIG-21-034-A report

Hackers breached the agency’s Citrix servers

While OIG officials redacted the server vendor name in their report, several other details included in the document suggest that hackers exploited a vulnerability in the agency’s Citrix ADC gateway servers.

Tracked as CVE-2019-19781, this vulnerability allows attackers to bypass authentication on Citrix ADC devices and execute malicious code.

Citrix published a security advisory about this bug on December 17, 2019, and released mitigation steps so its customers could block attacks while the company was still working on a software patch.

While a fix arrived in late January 2020, attacks against Citrix ADC devices started well before that, on January 11, 2020, a day after a group of security researchers published a proof-of-concept exploit on GitHub.

According to the OIG report, the US Census Bureau’s servers appear to have been among the first to have been compromised, with the agency’s Citrix systems getting hacked on the first day of active exploitation.

Timeline of the attack:

December 17, 2019 – Citrix discloses CVE-2019-19781, a vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway. Patches were not available, but the vendor released mitigations to prevent attacks.January 10, 2020 – Proof-of-concept exploit code is released on GitHub.January 11, 2020 – US Census Bureau Citrix server is breached using the public exploit.January 13, 2020 – US Census Bureau firewalls blocks the attacker from communicating with their remote command and control (C&C) server.January 15, 2020 – the Bureau receives a list of malicious IP addresses from an information-sharing partner that were being used to conduct the exploit.January 16, 2020 – the Bureau’s security team received a notification from CISA that its servers were hacked and the agency is asked to investigate.January 28, 2020 – the Bureau runs a script and confirms its Citrix system were hacked.January 31, 2020 – the Bureau receives its second CISA request to investigate the hacked servers.February 5, 2020 – the Bureau confirms that additional servers were hacked.

But while the Census Bureau’s firewall detected the intrusion and blocked the attackers from escalating their intrusion, the OIG said the agency had failed on several other fronts, such as mitigating the vulnerability for weeks despite warnings from the vendor, running end-of-life software on the Citrix servers, and taking weeks to investigate and confirm the breach to CISA officials.

Furthermore, the OIG said the Census Bureau also did not change default logging settings on the hacked Citrix servers, meaning that by the time it carried out an in-depth investigation, logs containing crucial evidence had been rotated and deleted from the compromised systems.

Since then breach, the CVE-2019-19781 Citrix vulnerability became one of the most exploited security bugs over the past two years, according to a joint report from cyber-security agencies in the US, UK, and Australia.

Today, it’s used by ransomware gangs, initial access brokers, and state-sponsored cyber-espionage groups. In March 2020, the same bug was also blamed as the root cause of a security breach of the Australian Defence Force Recruiting Network.

The post Hackers breached US Census Bureau in January 2020 via Citrix vulnerability appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] Six Flags to Pay $36M Over Collection of Fingerprints

All posts, ThreatPost

Illinois Supreme Court rules in favor of class action against company’s practice of scanning people’s fingers when they enter amusement parks. Source: Read More (Threatpost)

Read More

[HackerNews] Microsoft Warns of Cross-Account Takeover Bug in Azure Container Instances

All posts, HackerNews

Microsoft on Wednesday said it remediated a vulnerability in its Azure Container Instances (ACI) services that could have been exploited by a malicious actor “to access other customers’ information” in what the researcher described as the “first cross-account container takeover in the public cloud.” An attacker exploiting the weakness could execute malicious commands on other […]

Read More

[SANS ISC] Phishing 101: why depend on one suspicious message subject when you can use many?, (Thu, Sep 16th)

All posts, Sans-ISC

There are many e-mail subjects that people tend to associate with phishing due to their overuse in this area. Among the more traditional and common phishing subjects, that most people have probably seen at some point, are variations on the “Your account was hacked”, “Your mailbox is full”, “You have a postal package waiting”, “Here […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.