US Census Bureau hacked in January 2020 using Citrix exploit

US Census Bureau servers were breached on January 11, 2020, by hackers who exploited a Citrix ADC zero-day vulnerability as the US Office of Inspector General (OIG) disclosed in a recent report.

"The purpose of these servers was to provide the Bureau with remote-access capabilities for its enterprise staff to access the production, development, and lab networks. According to system personnel, these servers did not provide access to 2020 decennial census networks," the OIG said.

"During the attack on the remote-access servers, the Bureau's firewalls blocked the attacker's attempts to communicate from the remote-access servers to its command and control infrastructure as early as January 13, 2020.

"However, the Bureau was not aware that the servers had been compromised until January 28, 2020, more than 2 weeks later."

Attack only partially successful

While the attackers were able to breach the Bureau's servers and set up rogue admin accounts that would allow them to execute malicious code remotely, they could not deploy backdoors to maintain access to the servers and achieve their goals.

According to the OIG, the Bureau failed to mitigate the critical vulnerability exploited in the attack, leaving its servers vulnerable.

After their servers were compromised, the Bureau also failed to discover and report the attack on time. It also didn't maintain sufficient system logs, hindering the incident investigation.

"As the Census Bureau and the OIG both concluded following this incident, there were no indications of compromise on any 2020 Decennial Census systems nor any evidence of malicious behavior impacting the 2020 Decennial counts," responded in a reply to OIG's review of the incident.

"Furthermore, no systems or data maintained and managed by the Census Bureau on behalf of the public were compromised, manipulated, or lost because of the incident highlighted in the OIG's report."

Attackers exploited a critical Citrix flaw

A US Census Bureau spokesperson told BleepingComputer to see the agency's response to OIG's report when contacted for comment, and that's where we found the info needed to identify the attack vector the hackers used to compromise the Bureau's servers.

While OIG's report was redacted to remove all mentions of the exploited vulnerability and the name of the software vendor, the Census Bureau's response to OIG's inquiries surrounding the attack was left untouched, revealing that the redacted vendor is Citrix.

"Due to circumstances outside the Bureau's control—including a dependency on Citrix engineers (who were already at capacity supporting customers across the Federal government who had realized greater impacts from the January 2020 attack) to complete the migration, and the COVID-19 pandemic—the migration was delayed," the Bureau said.

This, coupled with OIG mentioning that the vulnerability was disclosed on December 17, 2019, made it possible to precisely pinpoint it as CVE-2019-19781, a critical bug affecting Citrix's Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP appliances.

Successful CVE-2019-19781 exploitation could enable remote attackers to execute arbitrary code on unpatched servers and gain access to an organization's internal network without requiring authentication.

Exploited Citrix bug still under active exploitation

Citrix disclosed the security flaw and provided mitigations on December 17, 2019, and released security updates to address it for all impacted products on January 24, 2020.

However, proof-of-concept exploits for CVE-2019-19781 were made public two days after scans for vulnerable Citrix servers were detected on January 8.

Threat actors jumped at the occasion and began attacking unpatched Citrix servers, with security researchers observing them deploy malware on compromised servers, including Sodinokibi and Ragnarok ransomware payloads.

The DoppelPaymer ransomware gang also exploited the same bug in February to breach the network of Bretagne Télécom, a privately held French cloud hosting and enterprise telecommunications company.

Since then, CVE-2019-19781 has been included by the FBI on its list of top targeted vulnerabilities of the last two years and by the NSA in the top five vulnerabilities actively abused by Russian-sponsored state hackers.

Government advisories mentioning CVE-2019-19781 include: Mitigate CVE-2019-19781, APT29 targets COVID-19 vaccine development, and Detect and Prevent Web Shell Malware.