Citrix security flaw took down a Defence Force personnel database

The Defence Force Recruiting Network (DFRN) electronic records system was taken offline for 10 days until it could be patched and judged safe

soldiers military
Commonwealth of Australia, Department of Defence

The Australian Defence Department took an online recruitment system down in February over concerns hackers had compromised personnel data using a security flaw in Citrix software, it was revealed this week.

The Australian Broadcasting Corporation reported on Wednesday that the department shut the Defence Force Recruiting Network (DFRN) electronic records system for 10 days from February 2 in response to a potential data breach. The department’s online Powerforce recruitment database is managed by Australian recruitment firm ManpowerGroup, which held personnel records on candidates’ medical exams, physiological records and interviews.

The Defence Department said its investigation turned up no evidence the data was stolen, however there was sufficient cause for concern to take DFRN offline between February 2 and February 12, 2020.

The department was one of many organizations worldwide caught out by a critical bug in Citrix’s NetScaler Application Delivery Controller (ADC) and NetScaler Gateway server products.

The US enterprise technology vendor disclosed the bug on 17 December 2019, but it was unable to release patches for affected products until the end of January 2020. The bug, tracked as CVE-2019-19781, was referred to as “Shitrix” among members of the infosec industry. By the time Citrix released patches in late January, two exploits had been published and security researchers discovered the bug had been used to load ransomware and cryptocurrency miners on to vulnerable systems.

The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) issued a public alert about the Citrix bug on 25 December, warning it could allow an attacker without correct credentials to execute code on a target’s local network. The Netherlands government cybersecurity agency was so concerned about the bug that it warned all government agencies on January 17 to disable Citrix ADC and Gateway servers until a patch was released.

According to ITNews, Defence Department CIO Stephen Pearson told Senate Estimates on Wednesday that it took DFRN offline in February to mitigate potential exploitation. Pearson noted that DFRN was external to Defence’s network. ASD director-general Rachel Noble told Estimates that ACSC had informed Defence on January 24 that DFRN may have been compromised due to the Citrix bug. She added that it was “normal” for organizations to take a "week or so” to survey a network to understand what’s happening.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies