Citrix hack  - citrix - Citrix hackers may have stolen six terabytes worth of files

Three days ago, at the end of last week, Citrix made the kind of announcement that no wants to make.

On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network.”

Citrix blog  - citrix blog - Citrix hackers may have stolen six terabytes worth of files

In a statement posted on the Citrix blog, Chief Information Officer Stan Black admitted that the hackers may have accessed and downloaded some business documents – but it didn’t currently know which specific documents.

Black went on to say that no indication had been discovered that the security of any Citrix services or products had been compromised by the security .

And how had the breach occurred? Citrix said it hadn’t confirmed the mechanisms used by the attackers yet, but that the FBI suspected that the hackers had used a technique known as “password spraying”.

Password spraying sees attackers throw a relatively small number of common passwords at a large number of accounts. The theory is that given enough users, someone is likely to have made the mistake of using one of the common passwords.

Such tactics can be successful at sidestepping some of the mechanisms (such as rate-limiting) organisations put in place to deter hackers from trying to brute force their way into a specific account by throwing a large number of passwords at it.

Once a hacker has managed to gain limited access to an organisation’s infrastructure, they can then begin to use that as a foothold to try to dig deeper into the company’s network.

In its statement Citrix doesn’t name who it believes is responsible for the hack, preferring to label them as “international cyber criminals.” It’s perfectly possible, of course, that the company simply doesn’t have a clue as to who might have broken into its systems.

An NBC News report, however, has repeated claims of a security firm Resecurity that an Iranian-linked hacking gang known as Iridium was responsible for the attack.

Resecurity says it first alerted Citrix way back on December 28 2018 that it was being targeted by the Iridium group – a gang that is being blamed for attacks against hundreds of government agencies, oil and gas companies, as well as technology firms.

Clearly that wasn’t enough to stop the problem if Citrix had to be alerted by the FBI to continuing concerns last week.

Other recent victims of the Iridium group include the Australian parliament.

If Resecurity is to be believed, the Iridium hacking gang accessed “at least six terabytes of sensitive stored in the Citrix enterprise network, including email correspondence, files in network shares, and other services used for project management and procurement.”

There is no mention made on Citrix’s blog as to whether multi-factor authentication was enforced on user accounts, which might have provided an additional hurdle for any wannabe hacker. However, Resecurity’s researchers note that Iridium has “proprietary techniques allowing [it] to bypass 2FA authorisation.”

Citrix is declining to comment further about the incident, or Resecurity’s claims, preferring at the moment to point customers to its blog post instead.

- aa9ea0686c5d1aa9086d4b12c3aa05f2 s 80 d mm r g - Citrix hackers may have stolen six terabytes worth of files

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Follow @gcluley





Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here