Citrix vulnerability used for potential Defence recruitment database access

ASD notified Defence and its recruitment database contractor that it had reason to believe it was vulnerable to a Netscaler bug a month after Citrix made the vulnerability public.
Written by Chris Duckett, Contributor
Screenshot: Chris Duckett/ZDNet

The Australian Signals Directorate (ASD) has revealed that a vulnerability in Citrix, announced over Christmas, could have been used by malicious actors to access a database of Australian Defence recruitment details.

"On the 24th of January ... through sensitive other sources, had a concern that the Department of Defence and its contractor running the DFRN [Defence Force Recruiting Network] may have been vulnerable to a malicious act as a result of the Citrix issue," newly installed director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates on Wednesday night.

Noble added that ASD believed no data was compromised, but it did see attempts to access the network related to the vulnerability.

"Given the global nature of the vulnerability which affected companies worldwide, I don't think they would have been the only one," Noble said.

As reported by the ABC on Wednesday morning, the DFRN was offline and quarantined for 10 days from February 2 to February 12. A source told the ABC the issue was detected before Christmas and crisis meetings were held twice a day over the issue. The database was run by ManpowerGroup, the ABC reported.

See also: Aussie Parliament's sad cyber espionage saga is a salient lesson for others

The director-general said there was no actor in particular behind the issue.

"What we saw from a holistic global point of view from the Australian Cyber Security Centre is that, a vulnerability in Citrix which is used globally, becomes known on 25th of December 2019. We saw a huge number of all sorts of actors then try to exploit that vulnerability with a large number of companies and government departments," she said.

Under questioning from ALP Senate leader Penny Wong, Noble was not concerned by the delay within Defence from being notified of the issue on January 24, to taking the database offline a week later.

"We see this all the time for organisations, a week or so to understand what's really happened on their network and get to the detail," Noble said.

"I think in this instance, on the second of February, the decision by Defence with its contractor was taken through an abundance of caution."

For an agency shrouded by secrecy, the ASD was more forthcoming than Defence department officials at the Estimates table, who admitted the database was full of personal information such as health information, medical exams, and psychological information.

"This particular network that we are talking about here for the Defence Force recruiting is an external network, not part of the Defence network," Defence CIO Stephen Pearson said.

Pearson said he was unaware if DXC, ManpowerGroup's service provider, ever applied the patches issued by Citrix on January 20.

"I do not know that date they applied their patch," he said.

Noble said earlier to Estimates that since July 1 of last year, ASD receives on average five incident reports a day, and one cyber crime report every 10 minutes  

Related Coverage

Editorial standards