The Office of the Inspector General (OIG) reported that unknown attackers hacked the servers of the US Census Bureau on January 11, 2020.
To do this, a zero-day Citrix ADC vulnerability and a public exploit were used, and the Bureau was unaware of the breach until January 28, 2020.
Census Bureau officials said the compromised servers prevented access to data from the 2020 census. Instead, the servers were intended for remote workers and provided access to production, development, and test networks.
The vulnerability in question is the known critical bug CVE-2019-19781, discovered on December 17, 2019. It affects Citrix Application Delivery Controller (ADC) systems and company gateways. The bug allows an unauthorized attacker to send a specially crafted request that will subsequently grant him the ability to execute arbitrary commands on the server.
After gaining such an opportunity, an attacker can develop his attack, successfully move through the corporate network, and gain access to data stored on the attacked system (information about virtual machines, system users, and so on).
The vulnerability was patched in January 2020, and according to an OIG report, the Census Bureau’s servers turned out to be one of the first targets of hackers, they were hacked on the first day of active exploitation of the bug.
Let me remind you that I just talked about the Chinese hackers attack US organizations and exploit bugs in Citrix.