On Friday, software giant Citrix issued a short statement admitting that hackers recently managed to get inside its internal network.
According to a statement by chief information security officer Stan Black, the company was told of the attack by the FBI on 6 March, since when it had established that attackers had taken “business documents” during the incident:
The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.
No mention of when the attackers gained access, nor how long that had lasted. As to how they got into the network of a company estimated to manage the VPN access of 400,000 large global organisations:
While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.
If you’re a customer of Citrix, apart from the lack of detail, two aspects of the statement will have unsettled you: the idea that attackers could bypass “additional layers of security” at a major tech company and the fact that the company didn’t know about the compromise until the FBI contacted it.
Enter Resecurity
And there the story might have paused for a few days had a little-known company called Resecurity not made its own claims about what happened to Citrix.
In a blog, it said that the attack by an Iranian group called Iridium had stolen “at least” 6TB of sensitive data from Citrix, including emails and files.
On 28 December, Resecurity had given Citrix early warning that a breach had happened, planned and organised to coincide with the Christmas period.
Citrix was only one of 200 government agencies, oil, gas and tech companies targeted during the Iridium campaign, the blog said.
Separately, NBC News said it had spoken to Resecurity’s president, Charles Yoo, who told it that the attackers had gained access to Citrix’s network via multiple compromised employee accounts:
So it’s a pretty deep intrusion, with multiple employee compromises and remote access to internal resources.
What does mean?
So far, Resecurity’s claims haven’t been confirmed which means that they should be treated with some caution until more details are released. It might (or might not) be significant that, so far, Citrix hasn’t denied them.
For Citrix customers, and the wider industry, the importance of this story is in the detail. For example, Resecurity claims the attackers found ways to bypass two-factor authentication (2FA) for “critical applications and services for further unauthorized access to VPN (Virtual Private Networks) channels and SSO (Single Sign-On).”
If accurate, how serious this is will depend on what type of 2FA is being talked about. If it’s OTP codes sent via SMS or generated by an app, that would fit with a number of reported compromises in recent months of this type of authentication.
MrNoBody
Citrix uses Symantec VIP for 2 Step Authentication and Okta for SSO.
Gene A. Miller, Jr.
12/3/18 ShareFile which is owned by Citrix forced a complete password reset for all users without explaining to users the issue and without letting admins of accounts know well in advance when changes would be applied. It was the next day. I had my suspicions.
Email:
“Image
Dear ShareFile Administrator,
We are proactively implementing new authentication methods to reduce risk to user accounts. We are reaching out to let you know that we are requiring a password reset for all non-SSO Citrix ShareFile (aka Citrix Content Collaboration) accounts. Upon logging into ShareFile, users will be required to change their password. They will receive an email providing a link to reset their password. If they cannot find that email, they can request the email again by clicking on the Forgot Password link from the login page. For help resetting passwords, visit the support page.
If you have disabled the ability for users to reset their passwords, their current password is no longer valid and you will need to reset your end users’ password.
We strongly recommend the use of unique and complex passwords, as well as multi-factor authentication. Users can find more information on managing their access at the following links: password management, multi-factor authentication, and security settings.
We continue to take steps to help you use our solutions securely and hope this information is useful to you. If you have any questions regarding this issue, please contact us at [URL removed] or call [Number removed].
Sincerely,
The Citrix ShareFile and Content Collaboration Team”