Bad day for Citrix and its customers.
On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network.
Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.
Resecurity is claiming that they discovered the attack and reported it to Citrix (then brought in the FBI? unclear) and measure the impact as follows:
The incident has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy.
Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.
Authors note: After posting this I learned that Resecurity is minor security business with no credibility to make these claims and they are likely false. They have made similar claims before that were debunked (consistently blaming Iranian state).
Points I noted:
- Attack Vector – password spraying (using account names with commonly used passwords).
- Citrix failed to detect lateral movement in the network.
- Citrix failed to use sufficient passwords or other tools to prevent password spraying.
- Scheduled to happen over Christmas holiday when monitoring would be at low ebb.
Citrix investigating unauthorized access to internal network | Citrix Blogs : https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/
Link: Resecurity | Supply Chain – The Major Target of Cyberespionage Groups – https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/
Link: Iranian-backed hackers ransacked Citrix, swiped 6TB+ of emails, docs, secrets, claims cyber-biz • The Register – https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/