International cybercriminals exploited Citrix internal systems for six months using password spraying technique

On March 8, this year, an American Cloud computing firm, Citrix revealed a data breach occurrence where international cybercriminals gained access to its internal network. The FBI informed the company about this incident on March 6.

Soon after the incident was reported by the FBI, Citrix initiated a forensic investigation while securing their network. Today, the company announced they have concluded the investigation and shared a report of their findings and their future plan of action to improve security.

Post the incident, Eric Armstrong, Citrix’s Vice President of Corporate Communications updated the users on the investigation twice–on April 4 and May 24–before releasing the final report today.

Attackers used ‘Password Spraying’ technique to exploit weak passwords

In both the updates, Armstrong said they have identified password spraying, a technique that exploits weak passwords, to be the likely method used for the data breach. He said the company had also performed a forced password reset throughout the Citrix corporate network and improved internal password management protocols.

Based on the ongoing investigation, Armstrong revealed they have found no evidence that the threat actors discovered or exploited any vulnerabilities within Citrix products or services to gain entry. Also, they found no evidence of compromise of the customer cloud service.

Investigation reveals criminals were lurking for “six months” within Citrix internal system

In their final report, Citrix revealed that the cybercriminals accessed their internal network between October 13, 2018, and March 8, 2019, and stole business documents and files from a company shared network drive, which was used to store current and historical business documents. They also accessed a drive associated with a web-based tool, which was used by Citrix for consulting purposes.

The investigation also speculates that the criminals may have “accessed the individual virtual drives and company email accounts of a very limited number of compromised users and launched without further exploitation a limited number of internal applications”, David Henshall, President and CEO, Citrix writes.

“Importantly, we found no compromise or exfiltration beyond what has been previously disclosed,” he further added.

Citrix was also warned by Resecurity before the FBI

When the data breach incident was revealed on March 8, on Citrix’s official website, security firm Resecurity wrote that it had warned Citrix of the data attack on December 28th, 2018.

Resecurity also mentioned that the attack may have been caused by the Iranian group called “IRIDIUM” and also mentioned “at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.

On March 6, when the FBI contacted Citrix, “they had reason to believe that international cybercriminals gained access to the internal Citrix network”, Stan Black, Citrix’s chief security and information officer wrote on the blog post.

Henshall says, “The cybercriminals have been expelled from our systems”.

Experts are having a close look at the documents that may have been accessed or stolen during the incident. “We have notified, or shortly will notify, the limited number of customers who may need to consider additional protective steps”, Henshall said.

Along with performing a global password reset and improving internal password management, Citrix has:

  • improved its firewall logging,
  • extended its data exfiltration monitoring capabilities,
  • removed internal access to non-essential web-based services, and
  • disabled non-essential data transfer pathways,

The company has also deployed FireEye’s endpoint agent technology across its systems for continuous monitoring of the system.

Although Resecurity revealed that 6TB data might have been compromised, the company has not shared information on how many users were affected during this breach but they have assured they will notify those who need to take additional protection.

To know more about this news in detail, read Citrix’s official blog post.

Read Next

Getting Started – Understanding Citrix XenDesktop and its Architecture

British Airways set to face a record-breaking fine of £183m by the ICO over customer data breach

US Customs and Border Protection reveal data breach that exposed thousands of traveler photos and license plate images

*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Savia Lobo. Read the original post at: