9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Threat actors exploited an unpatched Citrix flaw to breach the network of the U.S. Census Bureau in January in an attack that was ultimately halted before a backdoor could be installed or sensitive data could be stolen, according to a report by a government watchdog organization.
However, investigators found that officials were informed of the flaw in its servers and had at least two opportunities to fix it before the attack, mainly due to lack of coordination between teams responsible for different security tasks, according to the report, published Tuesday by the U.S. Department of Commerce Office of Inspector General. The bureau also lagged in its discovery and reporting of the attack after it happened.
The report details and reviews the incident that occurred on Jan. 11, 2020, when attackers used the publicly available exploit for a critical flaw to target remote-access servers operated by the bureau.
Citrix released a public notice about the zero-day flawâtracked as CVE-2019-19781âin December. In January, a representative from the bureauâs Computer Incident Response Team (CIRT_ attended two meetings in which the flaw was discussed and attendees even received a link to steps to use fixes which already had been issued by Citrix.
âDespite the publicly available notices released in December and attending two meetings on the issue in January, the bureau CIRT did not coordinate with the team responsible for implementing these mitigation steps until after the servers had been attacked,â according to the report. Doing so could have prevented the attack, investigators noted.
The Citrix products affected by the flawâdiscovered by Mikhail Klyuchnikov, a researcher at Positive Technologiesâare used for application-aware traffic management and secure remote access, respectively. At least 80,000 organizations in 158 countriesâabout 38 percent in the U.S.âuse these products, formerly called NetScaler ADC and Gateway.
The initial compromise at the Census Bureau was on servers used to provide the bureauâs enterprise staff with remote-access capabilities to production, development and lab networks. The servers did not provide access to 2020 decennial census networks, officials told investigators.
âThe exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution,â according to the report. âHowever, the attackerâs attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.â
Attackers were able to make unauthorized changes to the remote-access servers, including the creation of new user accounts, investigators reported. However, the bureauâs firewalls blocked the attackerâs attempts to establish a backdoor to communicate with the attackerâs external command and control infrastructure.
Another security misstep the bureau took that could have mitigated the attack before it even happened was that it was not conducting vulnerability scanning of the remote-access servers as per federal standards and Commerce Department policy, according to the OIG.
âWe found that the bureau vulnerability scanning team maintained a list of devices to be scanned,â investigators wrote. âHowever, the remote-access servers were not included on the list, and were therefore not scanned. This occurred because the system and vulnerability scanning teams had not coordinated the transfer of system credentials required for credentialed scanning.â
The bureau also made mistakes after the attack by not discovering nor reporting the incident in a timely manner, the OIG found.
IT administrators were not aware that servers were compromised until Jan. 28, more than two weeks after the attack, because the bureau was not using a a security information and event management tool (SIEM) to proactively alert incident responders of suspicious network traffic, investigators found.
nvd.nist.gov/vuln/detail/CVE-2019-19781
threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/
threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/
threatpost.com/unpatched-citrix-flaw-exploits/151748/
www.oig.doc.gov/OIGPublications/OIG-21-034-A.pdf
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P