On Friday, software giant Citrix issued a short statement admitting that hackers recently managed to get inside its internal network.
According to a statement by chief information security officer Stan Black, the company was told of the attack by the FBI on 6 March, since when it had established that attackers had taken “business documents” during the incident:
The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.
No mention of when the attackers gained access, nor how long that had lasted. As to how they got into the network of a company estimated to manage the VPN access of 400,000 large global organisations:
While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.
If you’re a customer of Citrix, apart from the lack of detail, two aspects of the statement will have unsettled you: the idea that attackers could bypass “additional layers of security” at a major tech company and the fact that the company didn’t know about the compromise until the FBI contacted it.
Enter Resecurity
And there the story might have paused for a few days had a little-known company called Resecurity not made its own claims about what happened to Citrix.
In a blog, it said that the attack by an Iranian group called Iridium had stolen “at least” 6TB of sensitive data from Citrix, including emails and files.
On 28 December, Resecurity had given Citrix early warning that a breach had happened, planned and organised to coincide with the Christmas period.
Citrix was only one of 200 government agencies, oil, gas and tech companies targeted during the Iridium campaign, the blog said.
Separately, NBC News said it had spoken to Resecurity’s president, Charles Yoo, who told it that the attackers had gained access to Citrix’s network via multiple compromised employee accounts:
So it’s a pretty deep intrusion, with multiple employee compromises and remote access to internal resources.
What does mean?
So far, Resecurity’s claims haven’t been confirmed which means that they should be treated with some caution until more details are released. It might (or might not) be significant that, so far, Citrix hasn’t denied them.
For Citrix customers, and the wider industry, the importance of this story is in the detail. For example, Resecurity claims the attackers found ways to bypass two-factor authentication (2FA) for “critical applications and services for further unauthorized access to VPN (Virtual Private Networks) channels and SSO (Single Sign-On).”
If accurate, how serious this is will depend on what type of 2FA is being talked about. If it’s OTP codes sent via SMS or generated by an app, that would fit with a number of reported compromises in recent months of this type of authentication.