US Census Bureau servers were hijacked on January 11, 2020, by threat actors after applying an unpatched Citrix ADC zero-day vulnerability, as the US Office of Inspector General (OIG) revealed in an active report.

“The main aim on the attack on the remote-access servers, the Bureau’s firewalls stopped the threat actor’s trials to transmit from the remote-access servers to its command and control framework as early as January 13, 2020.”

“However, the Bureau was not aware that the servers had been negotiated until January 28, 2020, more than 2 weeks later.”

Attack Only Moderately Successful!

While the threat actors were able to hijack the Bureau’s servers and deploy rogue admin accounts that would permit them to run the malicious code remotely, they could not set up backdoors to handle access to the servers and achieve their targets.

According to the OIG, the Bureau was unable to mitigate the sensitive vulnerability exploited in the attack, leaving its servers vulnerable. After their servers were negotiated, the Bureau also failed to found and report the attack on time. It also didn’t handle sufficient system logs, blocking the circumstance research.

“As the Census Bureau and the OIG both terminated following this incident, there were no indications of negotiated on any 2020 Decennial Census systems nor any clue of malicious behavior affecting the 2020 Decennial counts,” responded in a reply to OIG’s review of the incident.

“Moreover, no systems or data controlled and handled by the Census Bureau on behalf of the public were negotiated, manipulated, or lost because of the incident highlighted in the OIG’s report.”

How Threat Actors Abused a Sensitive Citrix Bug?

A US Census Bureau investigator told our experts to go through the agency’s response to OIG’s report when contacted for comment, and that’s where we discover the info required to discover the attack vector the hackers used to negotiate the Bureau’s servers.

While OIG’s report was redacted to remove all mentions of the exploited vulnerability and the name of the software vendor, the Census Bureau’s response to OIG’s inquiries surrounding the attack was left untouched, revealing that the redacted vendor is Citrix.

“Due to issues outside the Bureau’s control—consisting of a dependency on Citrix engineers (who were already at capacity supporting customers across the Federal government who had realized greater impacts from the January 2020 attack) to complete the migration, and the COVID-19 pandemic—the migration was delayed,” the Bureau said.

This, coupled with OIG mentioning that the vulnerability was disclosed on December 17, 2019, made it possible to precisely pinpoint it as CVE-2019-19781, a critical bug affecting Citrix’s Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP appliances.

Successful CVE-2019-19781 exploitation could enable remote attackers to execute arbitrary code on unpatched servers and gain access to an organization’s internal network without requiring authentication.

Abused Citrix Flaw still under Active Exploitation

Citrix reveals the security bug and facilitate mitigations on December 17, 2019, and released security updates to find it for all harmed products on January 24, 2020. However, proof-of-concept exploits for CVE-2019-19781 were made public two days after scans for vulnerable Citrix servers were detected on January 8.

Threat actors bounced at the occasion and began attacking unpatched Citrix servers, with security investigators monitoring them to set up malware on negotiated servers, including Sodinokibi and Ragnarok ransomware payloads.

The DoppelPaymer ransomware gang also exploited the same bug in February to breach the network of Bretagne Telecom, a privately held French cloud hosting and enterprise Telecommunications Company.

Since then, CVE-2019-19781 has been included by the FBI on its list of top targeted vulnerabilities of the last two years and by the NSA in the top five vulnerabilities actively abused by Russian-sponsored state hackers. Government advisories handling CVE-2019-19781 include: Mitigate CVE-2019-19781, APT29 targets COVID-19 vaccine development, and Detect and Prevent Web Shell Malware.