On Friday, March 8, 2019 the software company Citrix issued a brief statement admitting that hackers had recently managed to breach its internal network.
According to the statement made by the Chief Information Security Officer, Stan Black, Citrix was informed of the attack by the FBI on March 6, 2019 establishing that international cyber criminals (known collectively as IRIDIUM) had gained access to the internal Citrix network. Although it was established that “business documents” had been taken, the specific documents that may have been accessed are currently unknown.
At the present time, Citrix is standing by their products and services as there is (currently) no indication that the security of said items have been compromised.
When did it happen? And How?
As of this time, there is no mention of when the attackers gained access, nor how long they maintained access. The FBI has advised that the hackers had likely used a tactic commonly known as password spraying, a technique that take advantage of weak passwords. Once the attackers managed to get their foot in the door, with limited access, they worked to bypass multiple layers of controls.
Password Spraying involves attempting to login with only one (strategically chosen) password across all of the domain accounts. This allows an attacker to attempt many more authentication attempts without locking out a user.
Significance to Citrix Customers
Despite the statements best efforts to ease customers confidence in the brand, if you are a customer of Citrix, it should be unsettling to know that attackers were able to bypass “additional layers of security” against a major tech company; as well, the fact that Citrix was not even aware of the breach until the FBI notified them.
While terabytes of data compromised is colossal, and it will take some time for us to understand the impact, the source-code for Symantec’s pcAnywhere was breached in 2012, and as a result, Symantec (oddly enough, also on March 8) immediately issued a warning to customers to stop using it’s pcAnywhere software. It is difficult to predict the outcome or even process terabytes of data but it will be crucial for Citrix customers to stay informed as the story unfolds.
Was the Citrix Breach preventable?
On December 28, 2018, a lesser-known security firm, known as Resecurity had given Citrix and law enforcement an early warning that a breach was planned and organized to take place during the 2018 holiday period.
In a blog article, it said that the attack, by Iranian group named Iridium, had stolen at least 6 Terabytes (possibly up to 10) of data from Citrix, including sensitive emails and files.
According to Resecurity, Citrix was only one of the 200 government agencies and tech companies that were targeted during the Iridium campaign. In a separate interview, with NBC, Resecurity’s president, Charles Yoo mentioned that attackers had gained access to Citrix’s network via multiple compromised employee accounts.
To date, Resecurity’s claims have not been confirmed, and as such, they should be treated with a grain of salt until more details are collected and released. It’s worth noting, however, that Citrix has not confirmed or denied the stated claims.
Why is this Story Important?
For Citrix customers, the take home message here is in the details. Resecurity has made claims that the attackers have developed methods to bypass two-factor authentication (2FA). If this in fact the case, how serious this is will depend on the type of 2FA in consideration. Details are expected to follow.