Citrix has been the target of a security breach that has resulted in the loss of about 6TB of sensitive data. In an official statement released by Citrix CSIO Stan Black on March 8, 2019, it was revealed that the FBI alerted the company to evidence that the Citrix network had been compromised by international cyber criminals.

According to Black, Citrix has commenced a forensic investigation, sought the assistance of a leading cybersecurity firm, taken actions to secure its internal network, and continues to cooperate with the FBI.

While investigation on the breach is currently ongoing, it seems that the hackers possibly accessed and downloaded business documents. However, Black states that the company hasn’t been able to identify the specific documents that may have been stolen. “At this time, there is no indication that the security of any Citrix product or service was compromised,” he added.

Security firm Resecurity claims that the attacks were carried out by IRIDIUM, an Iranian hacking group responsible for past attacks on tech companies, gas firms, and government agencies. The firm states that it contacted Citrix on December 28, 2018, to warn about an attack from this group.

In a blog post, the firm reveals that the cybercriminals gained access to at least 6TB of sensitive data in the Citrix network, including e-mails, and files in services used for project management and procurement.

According to the firm, “the incident has been identified as a part of a sophisticated cyber espionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy.”

How did the hackers gain access to the documents?

Password spraying explained

Although not yet confirmed, the FBI believes that the hackers likely employed a tactic known as password spraying, a method that exploits weak passwords. Once they were able to gain limited access, they then worked to bypass added layers of security.

Password spraying is an attack method that involves the use of a few common passwords to try to access a large number of user accounts. These attacks are usually effective because many people use very common passwords rather than complex, unique ones.

Who has been affected?

Illustration of affected people

Presently, no detailed information on how many people are affected by this breach is available. Citrix products are used by over 400,000 organizations around the world including 98% of all Fortune 500 companies and 99% of the Fortune 100. Thus, the effects of this data breach incident could be serious.

“Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities,” the company says.

This incident provides another timely reminder of the importance of security measures that are often taken for granted by many such as using strong passwords. As data breaches like this become more commonplace, users can protect their data by strengthening their passwords.

Simple practices like using longer passwords and avoiding dictionary words and common names can go a long way. For those who struggle with remembering passwords, password management software such as 1Password and LastPass can help. It is important to avoid using one password across multiple sites and services. And should a service you use get hacked, change your password immediately.

It is important to avoid using one password across multiple sites and services. And should a service you use get hacked, change your password immediately.

For firms, the U.K’s National Cyber Security Centre (NCSC) recommends the configuration of protective monitoring and enforcement of multi-factor authentication on externally-accessible authentication endpoints.

Companies also need to prevent users from using weak, common passwords. Regular audits of user passwords against lists of common passwords should be carried out.  Since cybercriminals often return to “easy targets,” hardening passwords and implementing 2-factor authentication is a wise move.

It is possible that the hackers were able to access the source code for older Citrix products. Thus, it is advisable for organizations and individuals that use Citrix products and services to ensure that their Citrix environments aren’t exposed to the internet. Organizations should be alert to indications of a breach and employ multi-factor authentication. This could turn out to be a very serious data breach.

What can you do about it?

Exploiting weak passwords is a classic method used by hackers to attack and take control of your online accounts. To avoid being your data being stolen by a data breach, make sure to use a secure password manager to generate and store strong passwords, complemented by a reliable VPN to encrypt your connection and protect your online privacy.