Over the weekend, it has emerged that Citrix has been hit by hackers in attacks that potentially exposed large amounts of customer data.
On March 6, 2019, the FBI contacted Citrix with the news that international cyber criminals had likely gained access to the internal Citrix network.
The firm says in a statement that it has taken action to contain this incident. “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI,” says Stan Black, Citrix CSIO.
According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM, which has hit more than 200 government agencies, oil and gas firms and technology companies.
The firm said it first reached out to Citrix on December 28 2018 to share an early warning notification about a targeted attack and data breach.
“Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog.
“Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”
Resecurity says the group uses proprietary techniques to bypass 2FA authorization for critical applications and services for further unauthorized access to virtual private networks channels and single sign-on.
Reportedly, the attackers exploited weak passwords and managed to get limited access initially after which they acquired privileged rights on the system.
The firm has warned its customers about the breach and possible exposure of corporate secrets.
On the other hand, the FBI who knew about the attack before Citrix revealed that hackers have utilized the password spraying technique, which specifically exploits weak passwords, to access the company’s network.
Citrix offers its visualization software to the US military, businesses, and US government institutions. Over 400,000 businesses use products developed by Citrix most of which are the Fortune 500 companies.
The company was informed by the FBI on 6th March that its IT systems have been breached by cybercriminals and a significant amount of data including business documents has been stolen. Immediately after the news of data breach broke, the company’s shares fell 3 percent to $99.77.
In response to the news, Citrix claimed on Friday that it has no idea which documents have been accessed or stolen and there isn’t any indication that the security of any of its products or services got compromised during the attack.
According to the official statement released by Citrix, the company is already trying to “contain this incident.”
“We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI” Citrix noted.
“The incident has been identified as a part of a sophisticated cyber espionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of the economy,” Resecurity researchers explained.