A recent study by a government watchdog organization revealed that threats actors have exploited an unpatched Citrix flaw in order to breach the network of the US Census Bureau in January.
Indeed, the attack was originally stopped before the hackers could steal data or install a backdoor. Yet, a flaw within the servers of the US Census Bureau, which hadn’t been fixed, allowed the cyber attackers to access the compromised systems. The Bureau is then criticized for not fixing the flaw beforehand as well as lagging in its discovery and reporting of the attack.
It was found out that if the Bureau had coordinated with the team responsible for implementing the mitigation steps, then the attack could have been prevented.
The report also showcased that the initial compromise at the Census Bureau was on servers that were used to provide the bureau’s enterprise staff with remote-access capabilities to production, development, and lab networks. The attackers were then able to modify user account data on the systems to prepare for remote code execution, but they were successful in maintaining access to the system by creating a backdoor into the affected servers.
Yet, the attackers were still able to make unauthorized changes to the remote-access servers, such as creating new user accounts but couldn’t establish a backdoor to communicate with the attacker’s external command and control infrastructure.
Thus, it was reported that by doing vulnerability scanning of the remote-access servers, the Bureau could have mitigated the attack before it happened. It has also not reported the incident as soon as it should have done, which gave more opportunities to the threat actors.