Citrix warns of data breach

Citrix warned it was a victim of a cyberattack whereby hackers gained unauthorized access to internal documents. The company is actively cooperating with the FBI and have launched a forensics investigation into the breach.

Citrix provides server, application and desktop virtualization software, networking and cloud computing technologies.

In the press release released last Wednesday, Citrix said the company was contacted on March 6 by FBI officials who believe cyber criminals had gained unauthorized access to the internal network of Citrix.

Although few details were provided by Citrix in the initial release, the company did confirm internal documents were breached. The sensitivity of the documents, however, were not disclosed while the company further investigates the incident.

“Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI,” said Stan Black, Citrix CISO in a blog post on Friday.

The hackers also likely exploited weak passwords to gain access to the Citrix network.

“While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security,” Citrix added.

Security firm Resecurity also published in blog post that Iranian-linked cyber espionage group IRIDIUM was responsible for the hacking of Citrix. Resecurity said in the post IRIDIUM allegedly stole nearly 6TB of sensitive internal documents over the past Christmas holiday period. The stolen data included “e-mail correspondence, files in network shares and other services used for project management and procurement.”

Nearly a year ago, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a security alert warning of malicious cyber actors were increasingly using a similar style of brute force attack known as password spraying against organizations in the United States and abroad.

According to the US-CERT advisory, attackers use password spray campaigns to typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. The bad actors may target this specific protocol because federated authentication can help mask malicious traffic and then maximize access to intellectual property after successful compromise.

Attackers also try to take advantage of accounts where multi-factor authentication (MFA) has not been enabled.

Organizations should make sure MFA is enabled on SSO and cloud-based applications, as well as enforce good password guidelines (such as strong passwords and not using easy-to-guess passwords).