Pierluigi Paganini August 19, 2021

Threat actors breached the servers of US Census Bureau on January 11, 2020, exploiting an unpatched Citrix ADC zero-day vulnerability, OIG revealed.

A report published by the US Office of Inspector General (OIG) revealed that threat actors breached the servers of US Census Bureau on January 11, 2020, exploiting an unpatched Citrix ADC zero-day flaw.

The servers were used to provide the Bureau with remote-access capabilities for its enterprise staff to access the production, development, and lab networks. The report states that the servers did not provide access to 2020 decennial census networks, this means that the attacker did not interfere with the results of the census.

“The exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution. However, the attacker’s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.” states the report published by Office of Inspector General.

The flaw was disclosed by Citrix in December 2019, the experts explained that it could be exploited by attackers to access company networks.

The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies.

In January 2020, Citrix announced permanent fixes for this remote code execution vulnerability.

While security researchers were warning of ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers affected by the CVE-2019-19781 vulnerability, many experts announced the availability online of proof-of-concept exploit code ([1, 2]).

Researchers at MDSsec published technical details of the vulnerability along with a video that shows the exploit they have developed, but they decided to not release it to avoid miscreants use it in the wild.

The report states that the US Census Bureau’s servers were compromised immediately after the availability of PoC exploits in the wild. The report reveals that the Bureau was able to discover the intrusion until January 28, 2020, more than 2 weeks later.

On January 31, 2020 the Bureau receives its second CISA request to investigate the compromised servers and a few days later, on February 5, 2020, the Bureau confirmed that other servers were hacked.

“During the attack on the remote-access servers, the Bureau’s firewalls blocked13 the attacker’s attempts to communicate from the remote-access servers to its command and control infrastructure as early as January 13, 2020. However, the Bureau was not aware that the servers had been compromised until January 28, 2020, more than 2 weeks later. We found that this delay occurred because, at the time of the incident, the Bureau was not using a security information and event management tool (SIEM)14 to proactively alert incident responders of suspicious network traffic.” states the report. “Instead, the Bureau’s SIEM was only being used for reactive, investigative actions. By not using a SIEM to generate automated security alerts at the time of the incident, the Bureau was delayed in confirming that the remote-access servers had been exploited.”

The OIG highlighted other problems such as the delay in the patch management process, the use of end-of-life software on the Citrix servers, delay in the investigation of the security breach, the use of default logging settings on the hacked Citrix servers that caused the lost of useful logs from the compromised systems.

The vulnerability is often exploited by ransomware operators, cybercriminals and nation state actors in their attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix)

[adrotate banner=”5″]

[adrotate banner=”13″]