Citrix Hacked by a Cyberespionage Group

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Cloud service, VoIP and remote management software provider Citrix has reportedly been hit by an Irianian-linked hacker group. A little less than week ago, Citrix posted a notice on their website saying the FBI believed "international cyber criminals gained access to the internal Citrix network." The press release wasn't particularly alarming, as it says that "there is no indication that the security of any Citrix product or service was compromised" even though hackers "may have accessed and downloaded business documents."

However, a separate report from the cyber security firm Resecurity claims that the Iranian hacker group IRIDIUM was behind the attack, and that they had access to "6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement." Even more worryingly, the security firm says they warned Citrix on December 28, 2018, but as far as I can tell, the company hasn't posted a public response until today. Citrix was reportedly the victim of a password spraying attack, where a small pool of commonly used passwords are used to brute force a large number of accounts, and Resecurity seems to think this attack is a small component of a larger campaign.

The Iranian-linked group known as IRIDIUM has hit more than 200 government agencies, oil and gas companies and technology companies including Citrix Systems, Inc... Friday, December 28, 2018 at 10:25 AM - Resecurity reached out to Citrix and shared an early warning notification about a targeted attack and data breach. Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period. The incident has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state due to strong targeting against government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy... We forecast a continued growth of targeted cyber-attacks on supply chains of government and large enterprises organized by state-actors and sophisticated cyberespionage groups.
 

AthlonXP

Fully [H]
Joined
Oct 14, 2001
Messages
20,464
Yeah this occurs right when my company is looking to migrate our Citrix services to their Cloud services.. Trying to decide if we should put a halt to this until we find out what exactly was stolen.
 

velusip

[H]ard|Gawd
Joined
Jan 24, 2005
Messages
1,579
...The press release wasn't particularly alarming, as it says that "there is no indication that the security of any Citrix product or service was compromised"...
"... any more than it already is."
 
Joined
Jun 1, 2018
Messages
691
Yeah this occurs right when my company is looking to migrate our Citrix services to their Cloud services.. Trying to decide if we should put a halt to this until we find out what exactly was stolen.

i dont think it matters. the whole point is to offload your services to a 3rd party, mitigating the risk that you might be found liable in a breach... not to actually mitigate the risk of getting hacked. its a big game. your job will be safe if your vender gets hacked, not your problem- heck you might even be able to spin the credit memo your company will get as a net gain to your career(just be sure to throw a tantrum in front of your superiors and seem genuinely upset that citrix failed to protect your customers and has betrayed your trust, maybe shed a tear? earn your oscar during that RCA video conference with citrix).
 

AthlonXP

Fully [H]
Joined
Oct 14, 2001
Messages
20,464
I like your thinking there.. It's my long term plan anyhow since we are a small IT staff with alot to manage.
 

BloodyIron

2[H]4U
Joined
Jul 11, 2005
Messages
3,439
The fact that Citrix Cloud is susceptible to brute forcing called "password spraying" clearly demonstrates security incompetence. If there's an IP or set of IPs that are repeatedly trying a whole lot of (failing) credentials, they should be temp banned at the firewall, and that ban timing should increase in magnitude each time. fail2ban is designed for this very function, and Citrix Cloud not even having something similar in-place shows willful negligence. This is rudimentary account security ffs, especially if you're a multi-tenant provider. >:|

Fault lies with Citrix Cloud for sucking at IT.
 
Top