Why The Citrix Breach Matters — And What To Do Next
Over the weekend, it has emerged that Citrix has been hit by hackers in attacks that potentially exposed large amounts of customer data.
On March 6, 2019, the FBI contacted Citrix with the news that international cyber criminals had likely gained access to the internal Citrix network. The firm says in a statement that it has taken action to contain this incident. “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI,” says Stan Black, Citrix CSIO.
According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM, which has hit more than 200 government agencies, oil and gas firms and technology companies. The firm said it first reached out to Citrix on December 28 2018 to share an early warning notification about a targeted attack and data breach. “Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog.
“Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”
Resecurity says the group uses proprietary techniques to bypass 2FA authorization for critical applications and services for further unauthorized access to virtual private networks channels and single sign-on.