Severity
High
Analysis Summary
Citrix has confirmed that their network was breached and attackers has managed to get their hands on the “Business Documents” according to their CISO (Chief Information Security Officer).
“The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised”
It is likely that the attackers used the password spraying tactic which is used to exploit weak passwords and once they get their foothold with limited access, they work their way out to additional layers of security compromising at least “6TB” of data, founding ways to bypass (2FA) two factor authentication and (SSO) single sign on and services for further unauthorized access to VPN (Virtual Private Networks) channels.
Impact
- System access
- Loss of credentials
- Loss of sensitive information
- Network intrusion
- Data ex filtration
Indicators of Compromise
| IP(s) / Hostname(s) | 178[.]131[.]21[.]19 5[.]115[.]23[.]11 5[.]52[.]14[.]23 23[.]237[.]104[.]90 194[.]59[.]251[.]12 185[.]244[.]214[.]198 138[.]201[.]142[.]113 92[.]222[.]252[.]193 51[.]15[.]240[.]100 185[.]220[.]70[.]135 |
Affected Vendors
Citrix Systems
Remediation
- Block threat indicators at your respective controls.
- Prevent users from common passwords
- Deploy alternative passwords where possible
- Enforce the multi factor authentication on externally reachable endpoints
- Provide pragmatic advice to the users on how to choose good passwords.