Hackers breached US Census Bureau in January 2020 via Citrix vulnerability

Unidentified hackers breached US Census Bureau servers in January 2020 by abusing a public exploit for a major vulnerability in the agency's remote-access servers, a US government watchdog said on Monday.

Census Bureau officials said the hacked servers were not connected to the 2020 Decennial Census networks, and the intruders did not have the opportunity to interact with census results.

Instead, the hackers breached only gained access to servers the agency had been using to provide access to its internal network for its remote workforce, the Office of Inspector General said in a report this week.

The exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution. However, the attacker's attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.

Office of Inspector General, OIG-21-034-A report

Hackers breached the agency's Citrix servers

While OIG officials redacted the server vendor name in their report, several other details included in the document suggest that hackers exploited a vulnerability in the agency's Citrix ADC gateway servers.

Tracked as CVE-2019-19781, this vulnerability allows attackers to bypass authentication on Citrix ADC devices and execute malicious code.

Citrix published a security advisory about this bug on December 17, 2019, and released mitigation steps so its customers could block attacks while the company was still working on a software patch.

While a fix arrived in late January 2020, attacks against Citrix ADC devices started well before that, on January 11, 2020, a day after a group of security researchers published a proof-of-concept exploit on GitHub.

According to the OIG report, the US Census Bureau's servers appear to have been among the first to have been compromised, with the agency's Citrix systems getting hacked on the first day of active exploitation.

Timeline of the attack:

• December 17, 2019 - Citrix discloses CVE-2019-19781, a vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway. Patches were not available, but the vendor released mitigations to prevent attacks.
• January 10, 2020 - Proof-of-concept exploit code is released on GitHub.
• January 11, 2020 - US Census Bureau Citrix server is breached using the public exploit.
• January 13, 2020 - US Census Bureau firewalls blocks the attacker from communicating with their remote command and control (C&C) server.
• January 15, 2020 - the Bureau receives a list of malicious IP addresses from an information-sharing partner that were being used to conduct the exploit.
• January 16, 2020 - the Bureau's security team received a notification from CISA that its servers were hacked and the agency is asked to investigate.
• January 28, 2020 - the Bureau runs a script and confirms its Citrix system were hacked.
• January 31, 2020 - the Bureau receives its second CISA request to investigate the hacked servers.
• February 5, 2020 - the Bureau confirms that additional servers were hacked.

But while the Census Bureau's firewall detected the intrusion and blocked the attackers from escalating their intrusion, the OIG said the agency had failed on several other fronts, such as mitigating the vulnerability for weeks despite warnings from the vendor, running end-of-life software on the Citrix servers, and taking weeks to investigate and confirm the breach to CISA officials.

Furthermore, the OIG said the Census Bureau also did not change default logging settings on the hacked Citrix servers, meaning that by the time it carried out an in-depth investigation, logs containing crucial evidence had been rotated and deleted from the compromised systems. In other instances, devices either didn't keep logs, or tried to send logs to a SIEM (Security Information and Event Management) platform that had been decommissioned more than a year before.

Since then US Census Bureau breach, the CVE-2019-19781 Citrix vulnerability became one of the most exploited security bugs over the past two years, according to a joint report from cyber-security agencies in the US, UK, and Australia.

Today, the same vulnerability is often (ab)used by ransomware gangs, initial access brokers, and state-sponsored cyber-espionage groups. In March 2020, the same bug was also blamed as the root cause of a security breach of the Australian Defence Force Recruiting Network.