Citrix Released a statement today that on March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that an international cyber criminal group gained access to their internal network.
According to the Blog Statement by Stan Black, Citrix Chief Security Officer They have inititiated action to contain this incident. Citrix has also, commenced a forensic investigation; engaged a leading cyber security firm to assist. Citrix has taken actions to secure their internal network and they will continue to cooperate with the FBI.
Who is the Hacker?
According to NBC News the hackers were Iranian. The Group name was not sited. Other sources have reported the names Iridium and Holmium.
NBC Reports that Citrix Systems Inc. came under attack twice. Citrix was attacked in December and again on Monday of this week. Resurity notified Citrix and law enforcement authorities.
As a result, the hackers extracted at least six terabytes of data and possibly up to 10 terabytes. They also gained access to Citrix through several compromised employee accounts, according to Resecurity.
Furthermore, NBC Reported that while there is no evidence the attacks directly penetrated U.S. government networks. The breach carries a potential risk that the hackers could eventually find their way into sensitive government networks.
Microsoft Reports More Iranian Hacks Suspected
Meanwhile, a Wall Street Journal Article reported the Iranians are active in the US. The Journal says that Microsoft has detected cyberattacks linked to Iranian hackers. The attacks have targeted thousands of people at more than 200 companies over the past two years.
According to a Wall Street Journal report, “The hacking campaign stole corporate secrets and wiped data from computers.”
Microsoft told the Journal, “the cyberattacks affected oil-and-gas companies and makers of heavy machinery.” These countries include Saudi Arabia, Germany, the United Kingdom, India and the U.S. Microsoft says, that it has caused hundreds of millions in damages.
Additionally, Microsoft attributed the attacks to a group it calls Holmium. It is also known as APT33. Microsoft says it detected Holmium targeting more than 2,200 people. Holmium uses phishing emails to install malicious code.
What is Citrix Doing to Mitigate
Citrix say’s that it “is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly.
In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.
According to Citrix, “While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. “
Consequently, the specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.
Password Spraying Attack
While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying. Consequently, this attack focuses on and exploits weak passwords.
Password Spraying Defined
A Password Spraying Attack is the opposite of Brute Force Attack. In Brute Force attacks, hackers choose a vulnerable user name and enter passwords one after another. They then use a dictionary as the Password List and add numbers to the end. Basically, Brute Force is many passwords applied to just one ID. Sometimes this works because the password is too simple. Complex passwords which are much harder to crack because they cannot be easily guessed.0