The US Census Bureau’s servers were compromised on January 11, 2020, due to an unpatched vulnerability in the Citrix ADC servers. This was disclosed by the US Office of Inspector General (OIG) in a recent report.
The servers were designed to allow the Bureau’s staff to access its production, development, and laboratory networks. However, the servers did not have access to the 2020 Decennial Census networks, the OIG said.
“During the attack on the remote-access servers, the Bureau’s firewalls blocked the attacker’s attempts to communicate from the remote-access servers to its command and control infrastructure as early as January 13, 2020. However, the Bureau was not aware that the servers had been compromised until January 28, 2020, more than 2 weeks later.”
The attackers were able to access the Bureau’s servers by creating rogue admin accounts. However, they were not able to deploy backdoors to allow them to maintain access to the systems.
The OIG revealed that the Bureau failed to mitigate a critical zero-day vulnerability in its servers, which led to their exploitation. The Bureau also failed to inform the public about the incident on time and did not maintain sufficient logs that would support the incident investigation.
“As the Census Bureau and the OIG both concluded following this incident, there were no indications of compromise on any 2020 Decennial Census systems nor any evidence of malicious behavior impacting the 2020 Decennial counts,” responded in a reply to OIG’s review of the incident.
No systems or data maintained by the US Census Bureau on behalf of the public were compromised following the attack.
Unlike OIG’s report, which was redacted, the Census Bureau’s response to the Office of Inspector General regarding an attack against the agency was not redacted and left intact the vendor’s name and address.
“Due to circumstances outside the Bureau’s control—including a dependency on Citrix engineers (who were already at capacity supporting customers across the Federal government who had realized greater impacts from the January 2020 attack) to complete the migration, and the COVID-19 pandemic—the migration was delayed,” the Bureau said.
And because OIG mentioned that the vulnerability was disclosed on December 17, 2019, BleepingComputer researchers precisely pinpointed the vulnerability as CVE-2019-19781, a critical bug affecting Citrix’s Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP appliances. The exploit could allow remote attackers to execute code on unpatched servers and access the network without requiring authenticated access.
On January 24, 2020, Citrix released mitigations and security updates to address the flaw. On January 8, 2019, the exploit for the flaw was made public.
This was followed by threat actors, such as Sodinokibi, DoppelPaymer, and Ragnarok, launching attacks against unpatched Citrix servers and deploying ransomware.