Were “Iranians” or “International Cyber Criminals” to Blame?
Little known cybersecurity company reports breach, blames Iranians….
American software giant Citrix has suffered a major security breach, the company has admitted, but mystery surrounds the precise nature of the attack, after a new-on-the-scene cybersecurity company based in Los Angeles called “Resecurity” said it had alerted the FBI and Citrix to the breach and claimed an Iranian threat group was to blame for exfiltrating over six terabytes of Citrix data.
That claim resulted in extensive airtime for the company, whose president, Charles Yoo, told reporters that the breach may have first happened a decade ago and that the attackers were targeting Citrix clients whose work spans FBI-related projects, NASA and aerospace contracts and work with Saudi Aramco.
It did not offer detail on how it identified the breach. Computer Business Review has left a request for further comment with the company.
Citrix confirmed a breach had taken place: CSIO Stan Black said in a short statement: “While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents.”
He added: “The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.”
(Citrix provides desktop and application virtualisation software among other tools and services. Its portfolio includes Citrix Analytics, which claims to apply machine learning to data that “spans network traffic, users, files, and endpoints to identify and act on malicious user behaviour and app performance anomalies.” Its clients include a range of federal agencies and blue chips )
Citrix Data Breach: Lateral Movement was Not Identified
Black says that the FBI believes the technique used to gain access to the American multinationals systems was “password spraying” stating that: “Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”
Password spraying is the term associated to an attack on an account login page that uses account user names in conjunction with commonly used passwords such as qwerty12345, month/year combos or the organisations name and a number.
(The National Cyber Security Centre (NCSC) has warned about these types of attacks, saying: “These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only look at each account in isolation.”)
Threat Group Dubbed “IRIDIUM” Blamed
Resecurity meanwhile claimed in a blog post that it had identified the breach and notified Citrix along with law enforcement in order to share an “early warning notification about targeted attack and data breach.”
The post blamed an Iranian threat group dubbed IRIDIUM and claimed in a post that the attack had included “proprietary techniques allowing to bypass 2FA authorisation for critical applications and services for further unauthorised access to VPN channels and SSO (Single Sign-On)”. It did not offer further detail.
Citrix said it has brought in a “leading” cyber security company and will continue to work with the FBI on the incident. Its own statement did not mention Iran but said the FBI had advised it “they had reason to believe that international cyber criminals gained access to the internal Citrix network.”
We are sure more information will follow on this story.