[TheRecord] Hackers breached US Census Bureau in January 2020 via Citrix vulnerability

Unidentified hackers breached US Census Bureau servers in January 2020 by abusing a public exploit for a major vulnerability in the agency’s remote-access servers, a US government watchdog said on Monday.

Census Bureau officials said the hacked servers were not connected to the 2020 Decennial Census networks, and the intruders did not have the opportunity to interact with census results.

Instead, the hackers breached only gained access to servers the agency had been using to provide access to its internal network for its remote workforce, the Office of Inspector General said in a report this week.

The exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution. However, the attacker’s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.

Office of Inspector General, OIG-21-034-A report

Hackers breached the agency’s Citrix servers

While OIG officials redacted the server vendor name in their report, several other details included in the document suggest that hackers exploited a vulnerability in the agency’s Citrix ADC gateway servers.

Tracked as CVE-2019-19781, this vulnerability allows attackers to bypass authentication on Citrix ADC devices and execute malicious code.

Citrix published a security advisory about this bug on December 17, 2019, and released mitigation steps so its customers could block attacks while the company was still working on a software patch.

While a fix arrived in late January 2020, attacks against Citrix ADC devices started well before that, on January 11, 2020, a day after a group of security researchers published a proof-of-concept exploit on GitHub.

According to the OIG report, the US Census Bureau’s servers appear to have been among the first to have been compromised, with the agency’s Citrix systems getting hacked on the first day of active exploitation.

Timeline of the attack:

December 17, 2019 – Citrix discloses CVE-2019-19781, a vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway. Patches were not available, but the vendor released mitigations to prevent attacks.January 10, 2020 – Proof-of-concept exploit code is released on GitHub.January 11, 2020 – US Census Bureau Citrix server is breached using the public exploit.January 13, 2020 – US Census Bureau firewalls blocks the attacker from communicating with their remote command and control (C&C) server.January 15, 2020 – the Bureau receives a list of malicious IP addresses from an information-sharing partner that were being used to conduct the exploit.January 16, 2020 – the Bureau’s security team received a notification from CISA that its servers were hacked and the agency is asked to investigate.January 28, 2020 – the Bureau runs a script and confirms its Citrix system were hacked.January 31, 2020 – the Bureau receives its second CISA request to investigate the hacked servers.February 5, 2020 – the Bureau confirms that additional servers were hacked.

But while the Census Bureau’s firewall detected the intrusion and blocked the attackers from escalating their intrusion, the OIG said the agency had failed on several other fronts, such as mitigating the vulnerability for weeks despite warnings from the vendor, running end-of-life software on the Citrix servers, and taking weeks to investigate and confirm the breach to CISA officials.

Furthermore, the OIG said the Census Bureau also did not change default logging settings on the hacked Citrix servers, meaning that by the time it carried out an in-depth investigation, logs containing crucial evidence had been rotated and deleted from the compromised systems.

Since then breach, the CVE-2019-19781 Citrix vulnerability became one of the most exploited security bugs over the past two years, according to a joint report from cyber-security agencies in the US, UK, and Australia.

Today, it’s used by ransomware gangs, initial access brokers, and state-sponsored cyber-espionage groups. In March 2020, the same bug was also blamed as the root cause of a security breach of the Australian Defence Force Recruiting Network.

The post Hackers breached US Census Bureau in January 2020 via Citrix vulnerability appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] eCh0raix Ransomware Variant Targets QNAP, Synology NAS Devices

All posts, ThreatPost

Some bad actors are honing tools to go after small fry: This variant was refined to target not one, but two vendors’ devices that are common in SOHO setups. Source: Read More (Threatpost)

Read More

[SecurityWeek] US Warns About Russian Attacks Exploiting MFA Protocols, PrintNightmare Flaw

All posts, Security Week

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI on Tuesday warned organizations that Russian state-sponsored threat actors have gained access to networks and systems by exploiting default multi-factor authentication (MFA) protocols and a Windows vulnerability known as PrintNightmare. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[HackerNews] 11 Malicious PyPI Python Libraries Caught Stealing Discord Tokens and Installing Shells

All posts, HackerNews

Cybersecurity researchers have uncovered as many as 11 malicious Python packages that have been cumulatively downloaded more than 41,000 times from the Python Package Index (PyPI) repository, and could be exploited to steal Discord access tokens, passwords, and even stage dependency confusion attacks. The Python packages have since been removed from the repository following responsible […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.