Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Citrix Hackers Camped in Tech Giant's Network for 6 MonthsFBI Tipoff Led to Discovery; Citrix Blames Poor Password Security
Citrix says the data breach it first disclosed in early March appears to have persisted for six months before being discovered. The company believes it has now expelled any hackers from its network.
The technology giant, which is based in Fort Lauderdale, Florida, was alerted to the suspected intrusion on March 6 by the FBI and then launched an investigation, which is ongoing (see: Citrix Hacked by Password-Spraying Attackers, FBI Warns).
"Through an extensive investigation into the cyber intrusion announced in early March, Citrix and its outside forensic experts have discovered that international cybercriminals accessed files containing personal information related to some employees," a spokeswoman tells Information Security Media Group.
"Though our investigation remains ongoing, we are notifying all potentially impacted individuals out of an abundance of caution, and providing these individuals with credit monitoring and fraud protection services free of charge where possible," she says. "Importantly, there continues to be no indication that the security of any Citrix product or service was compromised or exploited by the criminals."
Citrix on Monday submitted a data breach notification to the California attorney general's office, as TechCrunch first reported. Such notifications are required by law in all 50 states for many types of breaches that result in residents' personal details being exposed.
"We currently believe that the cybercriminals had intermittent access to our network between Oct. 13, 2018, and March 8, 2019, and that they removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents," Citrix says in its breach notification.
Stolen information may have included names, Social Security numbers, financial information and employment details.
"Out of an abundance of caution, we are providing this letter to current and former employees of Citrix to alert them of this incident," it adds. "We will notify you if your beneficiaries or dependents were impacted."
Citrix declined to comment on how many individuals were receiving breach notifications, and whether these notifications are also being submitted to potential victims in Europe and beyond.
In the breach notification, the company says it will offer one year of prepaid enrollment in Equifax ID Patrol, which it describes as being a "credit monitoring, dark web monitoring and identity restoration service."
Attackers having access to Citrix's network for six months is not unusual. FireEye's Mandiant 2019 M-Trends report found that for breaches that an organization self-discovered in 2018, attackers had been inside the network for an average of 50.5 days. But when an organization was tipped off to the breach from an external source, as Citrix was, attackers had already been inside the network for an average of 184 days, or just over six months (see: Hackers Love to Strike on Saturday).
Citrix says it believes it has now expelled attackers from its network. It says there are no indications that attackers accessed or altered source code or firmware for its products or services.
"In the weeks following the discovery of the incident, Citrix and its outside security experts introduced measures to expel the cybercriminals from its systems," the company says. "We are monitoring for signs of further activity, but importantly have found no indication that the security of any Citrix product or service was compromised."
Citrix says it's also been making unspecified improvements meant to block such attacks. "We have taken steps to address issues that could have contributed to this situation, and we are investing in resources and technology to improve our internal security going forward," it says.
The company declined to detail specific changes it's making.
Password Security Problems
But poor password security appears to have been at least part of the problem (see: Why Are We *Still* So Stupid About Passwords?).
In a March 8 blog post, Stan Black, CSIO of Citrix, reported that the FBI informed it that attackers appeared to have used password spraying to gain "a foothold with limited access." After that, "they worked to circumvent additional layers of security," he said.
Security experts often define password spraying as using lists of commonly used passwords across many accounts to better avoid detection. Credential stuffing, meanwhile, commonly refers to trying username/email and password combinations leaked in previous breaches at other sites and services.
"Slowly testing against many user accounts, from a variety of source networks, these attacks are hard to identify since many do not trigger threshold alarms," Hector Lima, a Citrix vice president, says in a blog post.
Citrix says password spraying still appears to be how it was initially breached. To block repeat attacks, "we've performed a forced password reset throughout the Citrix corporate network and improved internal password management protocols," Eric Armstrong, vice president of corporate communications, said in an April 4 blog post.
Separate From Cyber Espionage Breach
In March, Citrix told ISMG that the breach does not appear to be connected to another hack-attack campaign that the company first disclosed on Feb. 15, in a form 10-K filing to the U.S. Securities and Exchange Commission.
"In late 2018, our file sync and sharing service was the target of a 'credential stuffing' attack, in which we believe that malicious third-party actors used credentials obtained from breaches unrelated to any Citrix service to attempt to gain access to individual Citrix Content Collaboration customer accounts," the Feb. 15 filing reads.
Cybersecurity and intelligence firm Resecurity in Los Angeles has said that Citrix was hit as part of a hacking campaign that it believes is being run by Iridium, which is its name for an advanced persistent threat group apparently operating from Iran. Resecurity says the cyber-espionage attack campaign has targeted more than 200 organizations, ranging from technology firms such as Cisco, to government agencies, defense contractors, financial services firms and oil and gas firms.
Citrix reported 2018 annual revenue of $3 billion. The company says its server, application and desktop virtualization, networking, software-as-a-service and cloud technologies are used by more than 400,000 organizations worldwide.
One question the company now faces is how an organization of its size - that sells networking equipment that offers multifactor authentication capabilities that can outright block credential stuffing and password spraying - fell victim to what might have been easily blocked attacks.