Attackers Reportedly Took Advantage of Unpatched Citrix Software
New York State capital in Albany (Photo: Paul Sableman via Flickr)
In January, hackers compromised portions of the New York state government’s computer network by taking advantage of an unpatched vulnerability in Citrix enterprise software, according to the Wall Street Journal.
While the New York State Office of Information Technology Services discovered the hacking incident on Jan. 28, officials did not disclose the breach until Monday, after the Journal and other publications asked about it.
The attack disabled some state agency information systems and took nearly a month to resolve, according to the Albany Times Union.
State officials as well as the FBI are now investigating the hacking incident. Richard Azzopardi, a senior adviser to New York Gov. Andrew Cuomo, told the Journal that no there is no evidence that employee data or other personally identifiable information was compromised or stolen.
It appears that the hackers were based in another country, according to the Journal, which cited two people familiar with the investigation. After the incident was first discovered, the state hired security firm CrowdStrike to investigate and assess the government’s security procedures, the Journal reports.
The hacking targeted databases used by several of the state’s largest agencies, including the New York State Police, the Department of Environmental Conservation and the Department of Civil Service, according to the Journal.
A spokesperson for the Office of Information Technology Services did not immediately reply to a request for comment Tuesday.
In January, around the same time that state computer network hacking incident was discovered, the Albany (New York) International Airport disclosed that it paid a ransom to the Sodiniokibi ransomware gang after a Christmas attack on the airport’s network. The incident remains under investigation by the FBI and the New York State Cyber Command (see: Albany Airport Pays Off Sodinokibi Ransomware Gang: Report).
Over the past eight years, the state of New York has undergone a large-scale IT consolidation program that has moved most of its networking and infrastructure into 53 data centers located on the State University of New York campus in Albany, according to news reports.
At one of these data centers, investigators found that hackers took advantage of an unpatched vulnerability in Citrix software that was first disclosed in December 2019, according to the Albany Times Union.
The vulnerability, which is tracked as CVE-2019-19781 was discovered by researchers at Positive Technologies. Citrix has announced numerous patches and has urged its customers to apply to the fixes (see: Citrix Releases First Patches to Fix Severe Vulnerability).
When the Positive Technologies researchers first disclosed the vulnerability, they noted that it affected numerous Citrix enterpirse software products, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.
If exploited, the vulnerability could give hackers access to an internal network even if a company or organization was using firewalls or two-factor authentication to help guard against such as attack, security researchers warned.
All told, the flaw affected about 80,000 companies that had unpatched Citrix software within their networks, according to Positive Technologies.
In March, insurance giant Chubb reported it was investigating a “security incident,” and researchers noted that scans of its infrastructure showed the company had unpatched Citrix software (see: Insurer Chubb Investigating ‘Security Incident’).
If an organization lacks visibility into its networks and systems to determine the need for patches, hackers are likely to exploit these flaws, says Jake Williams, president of cybersecurity consultancy Rendition Infosec.
“I have no doubt that New York state has a vulnerability management team, but they can only notify administrators that they know have the equipment that requires patching,” Williams tells Information Security Media Group. “Network visibility is, of course, an important and complimentary function to detect attackers that do find a way to compromise devices.”