Three days ago, at the end of last week, Citrix made the kind of announcement that no company wants to make.
“On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network.”
In a statement posted on the Citrix blog, Chief Security Information Officer Stan Black admitted that the hackers may have accessed and downloaded some business documents – but it didn’t currently know which specific documents.
Black went on to say that no indication had been discovered that the security of any Citrix services or products had been compromised by the security breach.
And how had the breach occurred? Citrix said it hadn’t confirmed the mechanisms used by the attackers yet, but that the FBI suspected that the hackers had used a technique known as “password spraying”.
Password spraying sees attackers throw a relatively small number of common passwords at a large number of accounts. The theory is that given enough users, someone is likely to have made the mistake of using one of the common passwords.
Such tactics can be successful at sidestepping some of the mechanisms (such as rate-limiting) organisations put in place to deter hackers from trying to brute force their way into a specific account by throwing a large number of passwords at it.
Once a hacker has managed to gain limited access to an organisation’s infrastructure, they can then begin to use that as a foothold to try to dig deeper into the company’s network.
In its statement Citrix doesn’t name who it believes is responsible for the hack, preferring to label them as “international cyber criminals.” It’s perfectly possible, of course, that the company simply doesn’t have a clue as to who might have broken into its systems.
Resecurity says it first alerted Citrix way back on December 28 2018 that it was being targeted by the Iridium group – a gang that is being blamed for attacks against hundreds of government agencies, oil and gas companies, as well as technology firms.
Clearly that wasn’t enough to stop the problem if Citrix had to be alerted by the FBI to continuing concerns last week.
Other recent victims of the Iridium group include the Australian parliament.
If Resecurity is to be believed, the Iridium hacking gang accessed “at least six terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares, and other services used for project management and procurement.”
There is no mention made on Citrix’s blog as to whether multi-factor authentication was enforced on user accounts, which might have provided an additional hurdle for any wannabe hacker. However, Resecurity’s researchers note that Iridium has “proprietary techniques allowing [it] to bypass 2FA authorisation.”
Citrix is declining to comment further about the incident, or Resecurity’s claims, preferring at the moment to point customers to its blog post instead.