FBI tips off Citrix that attacker has infiltrated and stolen data

News by Rene Millman

Software firm Citrix has admitted that its networks have been accessed by hackers and data exfiltrated after the company recieved a tip off from FBI.

Software firm Citrix has admitted that its networks have been accessed by hackers and data exfiltrated after the company recieved a tip off from FBI.

In a blog post  the company confirmed that the FBI advised it of the intrusion.

"While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised," it said in a statement.

Citrix added that while not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. "Once they gained a foothold with limited access, they worked to circumvent additional layers of security," read the statement.

Citrix said that it "deeply regrets the impact this incident may have on affected customers".

"Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities," a statement read.

According to security researchers at Resecurity, the hack was part of an Iranian-backed campaign carried out by hacking group Iridium. The group has hit more than 200 government agencies, oil and gas companies and technology companies.

"Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct targeted network intrusion to access at least six terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement," said researchers in a blog post.

Researchers said that among the tools used by Iridium included proprietary techniques allowing to bypass 2FA authorisation for critical applications and services for further unauthorised access to VPN (Virtual Private Networks) channels and SSO (Single Sign-On).
Ojas Rege, chief strategy officer at MobileIron, told SC Media UK that If the FBI is correct and the source of breach was password spraying, then it’s another sign that, as an industry, there must be focus on addressing the root cause of most data breaches – "the inherent weakness of the password as our central means of enterprise authentication".

"Forcing end users to make all their passwords substantially stronger will not solve this problem. At best, they will continuously forget their passwords and create an ongoing support burden. More likely, they will rebel and force IT to roll back the security strategy ... or start using unauthorised cloud services that are easier to access and beyond IT's control," he said.

Guy Bunker, CTO at Clearswift, told SC Media UK that as for what the hackers were looking for it will be dependent on who is paying the cyber-attackers.

"It could be internal design documents, customer lists (which if you are a security supplier, would be useful in attacks further down the supply chain), or notes from meetings. It could be M&A targets or employee lists… organisations have a huge amount of confidential information – and many don’t realise just how confidential it is.

Comprehensive data loss prevention solutions needs to cover all confidential information to mitigate the risk, and while they might start with ‘the obvious’, the other information should not be ignored as it can create far reaching consequences," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews