Another data breach has taken the tech world on its seat, as a leading American digital systems provider was infiltrated by hackers, taking terabytes of their clientele’s data.
According to the FBI, international cybercriminals have infiltrated the servers of Citrix, a global leader in computing systems, providing more than 400,000 companies with virtual private network access and credentials including 98% of the Fortune 500.
The company has assured its clients that they have already taken appropriate actions regarding the security breach. According to Stan Black, Citrix CSI, the company has “commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.”
The global security firm, Resecurity, said that an Iranian-linked group called IRIDIUM perpetrates the attack. The group allegedly has already carried out an attack to more than 200 government agencies, oil and gas firms, and tech companies around the world.
The firm, Resecurity, said that they had given a preemptive warning to Citrix since December 28, 2018, regarding possible cyber attacks against its systems.
“Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog.
“Based our recent analysis, the threat actors leveraged a combination of tools, techniques, and procedures allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”
Resecurity says the group uses proprietary techniques to bypass 2FA authorization for critical applications and services for further unauthorized access to virtual private networks channels and single sign-on.
At this point, it is still not possible to pinpoint precisely the extent of the damage caused by the attack. It is possible that the cybercriminals were able to access and download crucial documents from Citrix’s servers.
“In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information,” says Black. “While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents.”
“At this time, there is no indication that the security of any Citrix product or service was compromised,” Black added.
However, according to Ian Thornton-Trump, security head of AMTrust Europe: It’s possible the bad guys have the source code for older products, possibly the Citrix NetScaler Gateway, formerly known as the Citrix Access Gateway, or CAG, which is primarily used for secure remote access.
“Let’s look back to 2012 when Symantec had the source code for PC Anywhere stolen – let’s not forget that in this treasure trove of data Citrix may have given up the source code for Logmein as well as other products. PC Anywhere ceased to be a viable product, and it was one of the nails in the coffin; the same could happen for Logme in.”
The Federal Bureau of Investigation thinks that the attack was carried out by exploiting weak passwords in the system known as “password spraying.” The technique allows the hacker to gain limited control over the network and find a way to circumvent other remaining security layers.
According to UK’s National Cybersecurity Centre (NCSc), they have already warned tech companies of this method in the past where lists of a small number of common passwords are used to brute force large numbers of accounts.
“These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only look at each account in isolation,” the NCSC says.
The agency has previously conducted a study to determine who among the organizations and companies that participated are vulnerable to password spraying. It revealed that 75% of the participants had accounts with passwords that are featured in the top 1,000 most common passwords and 87% are highlighted in top 10,000.
This attack is another of the overwhelming sprout of data breaches and cyber attacks in multinational organizations and governments. Recently, the government of Singapore has named the group WhiteFly as the perpetrator of the notorious SingHealth data breach that affected thousands of Singaporean patients’ data.