Citrix Announces Internal Network Breach and Unauthorized Document Access

• Citrix discloses an internal network breach by an international hackers group, as indicated by the FBI.
• The company says the attackers only tapped onto some important documents, but they don’t know which yet.
• All Citrix products and services remained non-compromised and unaffected, so customers are safe to continue using them.

Citrix Systems, an expert in networking software, virtualization, and cloud computing, has issued an official announcement to warn their customers about unauthorized access to their internal network. According to the post, it was the FBI who warned the Texas-based software giant about the breach on March 6, while the company has already taken containment action to mitigate the risks. Moreover, a forensic investigation with the help of a leading cybersecurity firm is already underway. As Citrix is a high-profile US business entity, it is very probable that the attackers belong to an international cybercriminal group and not a random opportunistic team of hackers.

On the investigation, the post mentions the following: “Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.”

As for the breach and its results, Citrix unveils that the hackers have most likely accessed and downloaded various business documents that were stored in their network. However, they point out that they currently don’t know which documents were compromised. Moreover, the associated services and company products show no indication of any compromise, so we’re talking about a highly targeted attack that focused on the acquisition of crucial documents, and nothing more.

The FBI has informed Citrix that the attackers managed to gain access to the company’s network by following a “password spraying” method. What this means is that the attackers attempted to log in to the corporate network not by brute-forcing their way in, but by trying a few common and weak passwords in each employee account. This prevents auto-lockouts, as the attackers don’t target a single account, nor do they try to guess the right password for more than three times.

Once the attackers gained at least limited access to the Citrix network, they have worked their way deeper by circumventing the additional layers of security that were in place. Whether they targeted an SSO or a cloud-based application to conceal their activity and mask the associated malicious traffic has not been clarified by the Citrix announcement, but it’s possible. As the investigation moves forward, Citrix will share more insights on what happened and how attackers moved inside their network, so stay tuned.

“Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.”

Are you a Citrix customer? Does the above hurt your trust in the company’s products and services? Share your thoughts in the comments section below, and don’t forget to like this story and subscribe to our socials, on Facebook and Twitter.