Cyber Attack on Citrix

Cyber Attack on Citrix : July 3, 2019

Hi, stay updated with the dark side of the world of cyber attacks with us. We are starting a new series of case studies where we are going to cover the world’s gruesome cyberattacks very closely. This series intends to plant a seed of awareness about how the cyber attacks are impacting the world around us at large. Learn more about cyber attacks and ethical hacking here. 

In this blog post, we are covering the most recent cyber attack of the year on Citrix that is still under investigation with the FBI. If you are not already aware, Citrix Systems Inc. is a multinational software company with American origin. The most popular services offered by the company include server application, networking, desktop virtualization, software as a service (SaaS), and cloud computing. Citrix solutions are widely used and are claimed to be used by 99% of Fortune 100 and 98% of the Fortune 500 companies, with an aggregate clientele of over 400,000 clients over the world. 

Given the background of the company, the impact of a cyber attack on its systems and networks is bound to be widespread. On the 6th of March, 2019, FBI contacted Citrix that some international cybercriminals are lurking in the internal network of the company. Stan Black, Citrix CSIO, reacted to the incident with a statement saying, “We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.”

Though the case is still under investigation, this hit can potentially expose a large amount of sensitive customer information. This attack is linked to an Iranian group of hackers known as IRIDIUM by the security firm Resecurity.  This group has said to be involved in previous cyber hits against over 200 government agencies, tech companies, gas and oil companies. The pattern suggests that the group targets the critical infrastructure companies of a nation and as the group is active in several countries, it may be an act of cyber espionage. In the past, the group is tied to the Aussie parliament attack by the same security firm, Resecurity.

Resecurity provided insights on the case and said in a blog that, “Based on the timing and further dynamics, the attack was planned and organized specifically during the Christmas period.” 

“Based our recent analysis, the threat actors leveraged a combination of tools, techniques, and procedures allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares and other services used for project management and procurement.”

How the attack took place?

The FBI believes that the attack was conducted by using a tactic called ‘Password Spraying’. With this method, hackers exploit weak passwords to gain a foothold in the system with limited access. From there they escalate their access by circumventing additional layers of security.

On the issue, the U.K.’s National Cyber Security Centre (NCSC) commented that “These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only looks at each account in isolation.”

The impact

The impact of the said cyber breach is yet to be quantified. Stan Black has made a comment on the matter that “At this time, there is no indication that the security of any Citrix product or service was compromised.” He continued, “In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information. While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents.”

Later, Citrix sent a public apology and a promise to contain the incidence, “Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.”

An attack on one is a lesson for others.

This incidence has turned the focus of the entire industry on their basic cyber hygiene. What looks like a convenience in the name of one password for all or common password, can lead to a fatal cyber massacre.

The NCSC advises firms to enforce multi-factor authentication on externally-reachable authentication endpoints and to configure protective monitoring on them to trace password spraying attacks. Also, regularly conduct audits for user passwords against common password lists with commercial or free tools.

Another precaution is a comprehensive system check to ensure that there are no back doors, easy access points or areas where privileges could be escalated. 

These are some fairly standard cybersecurity practices that should be observed positively. If you are inclined to learn more about cybersecurity practices, this article might solve your purpose.

Common cyber security measures

So, this was all about how Citrix is facing the challenges that are followed by an intensified cyber attack. Do you find the world of cybercrime intriguing? Explore how you can turn your interests in an opportunity. Click here to know more about our Certified Ethical Hacking Course.