Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Citrix Hackers Camped in Tech Giant's Network for 6 Months

FBI Tipoff Led to Discovery; Citrix Blames Poor Password Security
Citrix Hackers Camped in Tech Giant's Network for 6 Months

Citrix says the data breach it first disclosed in early March appears to have persisted for six months before being discovered. The company believes it has now expelled any hackers from its network.

See Also: Revealing the Dark Web: How to Leverage Technologies to Alert and Block Dark Web Access

The technology giant, which is based in Fort Lauderdale, Florida, was alerted to the suspected intrusion on March 6 by the FBI and then launched an investigation, which is ongoing (see: Citrix Hacked by Password-Spraying Attackers, FBI Warns).

"Through an extensive investigation into the cyber intrusion announced in early March, Citrix and its outside forensic experts have discovered that international cybercriminals accessed files containing personal information related to some employees," a spokeswoman tells Information Security Media Group.

"Though our investigation remains ongoing, we are notifying all potentially impacted individuals out of an abundance of caution, and providing these individuals with credit monitoring and fraud protection services free of charge where possible," she says. "Importantly, there continues to be no indication that the security of any Citrix product or service was compromised or exploited by the criminals."

Citrix on Monday submitted a data breach notification to the California attorney general's office, as TechCrunch first reported. Such notifications are required by law in all 50 states for many types of breaches that result in residents' personal details being exposed.

Citrix's data breach notification, submitted to California on April 29

"We currently believe that the cybercriminals had intermittent access to our network between Oct. 13, 2018, and March 8, 2019, and that they removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents," Citrix says in its breach notification.

Stolen information may have included names, Social Security numbers, financial information and employment details.

"Out of an abundance of caution, we are providing this letter to current and former employees of Citrix to alert them of this incident," it adds. "We will notify you if your beneficiaries or dependents were impacted."

Citrix declined to comment on how many individuals were receiving breach notifications, and whether these notifications are also being submitted to potential victims in Europe and beyond.

In the breach notification, the company says it will offer one year of prepaid enrollment in Equifax ID Patrol, which it describes as being a "credit monitoring, dark web monitoring and identity restoration service."

Investigation Continues

Attackers having access to Citrix's network for six months is not unusual. FireEye's Mandiant 2019 M-Trends report found that for breaches that an organization self-discovered in 2018, attackers had been inside the network for an average of 50.5 days. But when an organization was tipped off to the breach from an external source, as Citrix was, attackers had already been inside the network for an average of 184 days, or just over six months (see: Hackers Love to Strike on Saturday).

Citrix says it believes it has now expelled attackers from its network. It says there are no indications that attackers accessed or altered source code or firmware for its products or services.

"In the weeks following the discovery of the incident, Citrix and its outside security experts introduced measures to expel the cybercriminals from its systems," the company says. "We are monitoring for signs of further activity, but importantly have found no indication that the security of any Citrix product or service was compromised."

Improvements Promised

Citrix says it's also been making unspecified improvements meant to block such attacks. "We have taken steps to address issues that could have contributed to this situation, and we are investing in resources and technology to improve our internal security going forward," it says.

The company declined to detail specific changes it's making.

Password Security Problems

But poor password security appears to have been at least part of the problem (see: Why Are We *Still* So Stupid About Passwords?).

In a March 8 blog post, Stan Black, CSIO of Citrix, reported that the FBI informed it that attackers appeared to have used password spraying to gain "a foothold with limited access." After that, "they worked to circumvent additional layers of security," he said.

Security experts often define password spraying as using lists of commonly used passwords across many accounts to better avoid detection. Credential stuffing, meanwhile, commonly refers to trying username/email and password combinations leaked in previous breaches at other sites and services.

"Slowly testing against many user accounts, from a variety of source networks, these attacks are hard to identify since many do not trigger threshold alarms," Hector Lima, a Citrix vice president, says in a blog post.

Citrix says password spraying still appears to be how it was initially breached. To block repeat attacks, "we've performed a forced password reset throughout the Citrix corporate network and improved internal password management protocols," Eric Armstrong, vice president of corporate communications, said in an April 4 blog post.

Separate From Cyber Espionage Breach

In March, Citrix told ISMG that the breach does not appear to be connected to another hack-attack campaign that the company first disclosed on Feb. 15, in a form 10-K filing to the U.S. Securities and Exchange Commission.

"In late 2018, our file sync and sharing service was the target of a 'credential stuffing' attack, in which we believe that malicious third-party actors used credentials obtained from breaches unrelated to any Citrix service to attempt to gain access to individual Citrix Content Collaboration customer accounts," the Feb. 15 filing reads.

Cybersecurity and intelligence firm Resecurity in Los Angeles has said that Citrix was hit as part of a hacking campaign that it believes is being run by Iridium, which is its name for an advanced persistent threat group apparently operating from Iran. Resecurity says the cyber-espionage attack campaign has targeted more than 200 organizations, ranging from technology firms such as Cisco, to government agencies, defense contractors, financial services firms and oil and gas firms.

Simple Attacks

Citrix reported 2018 annual revenue of $3 billion. The company says its server, application and desktop virtualization, networking, software-as-a-service and cloud technologies are used by more than 400,000 organizations worldwide.

One question the company now faces is how an organization of its size - that sells networking equipment that offers multifactor authentication capabilities that can outright block credential stuffing and password spraying - fell victim to what might have been easily blocked attacks.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.