The company has confirmed that hackers had access to its network between October 13, 2018, and March 8, 2019. They gained access by using a method known as password spraying, which involves attempts to access accounts with a few commonly used passwords.
On certain days during this period, the attackers stole business documents and other files from a shared network drive used by the company for storing current and historical documents. They also targeted a drive associated with a web-based tool used by Citrix’s consulting practice.
It’s also possible that the threat group behind the attack, which the FBI reportedly described as “international cyber criminals,” also accessed individual virtual drives and company email accounts of a “limited number of users.”
Some of the compromised files stored information on current and former employees, including their social security numbers and financial information. It’s unclear how many individuals have been impacted.
Citrix said it found no evidence that any of its products or cloud services were compromised, and the company is confident that the hackers did not identify or exploit any vulnerabilities in its products or services as part of the attack.
“As part of an extensive e-discovery process, experts are carefully reviewing documents and files that may have been accessed or were stolen in this incident. We have notified, or shortly will notify, the limited number of customers who may need to consider additional protective steps,” David Henshall, president and CEO of Citrix, said in a blog post.
Shortly after the breach came to light, cybersecurity firm Resecurity reported that the attack was carried out by Iranian threat actors, but several experts raised questions about the company’s claims.
In response to the breach, Citrix says it has made significant changes and improvements to prevent such incidents in the future. However, some experts believe it may not be enough, particularly in terms of password-related changes, where the company says it has carried out a global password reset, improved internal password management and strengthened password protocols.
“Unfortunately, this is analogous to rearranging deck chairs on the Titanic,” Arshad Noor, CTO of StrongKey, told SecurityWeek. “Passwords are not just old, they are ancient - created for the mainframe to enable chargeback controls for time-sharing in the 1960s. That multi-billion-dollar companies continue to use this archaic technology to protect a multi-trillion-dollar economy is an anachronism of the 21st century. I would strongly encourage Citrix - and others - to look at FIDO Alliance's new protocol (FIDO2) towards eliminating passwords entirely from their web and mobile infrastructure; it is a 21st century technology designed for a 21st century landscape.”