CITRIX DATA BREACH BY IRIDIUM HACKERS: 8 SECURITY MEASURES TO PREVENT IT 24 Jul 2019 G’ SECURE LABS security@gsecurelabs.com 1 www.gsecurelabs.com www.gsecurelabs.com Citrix Systems, Inc. is an American multinational software company that provides server, application & desktop virtualization, networking, software as a service (SaaS), and cloud computing technologies. Citrix solutions are claimed to be in use by over 400,000 clients worldwide, including 99% of the Fortune 100, and 98% of the Fortune 500. The Attack In the month of March, FBI alerted Citrix that Iran base hackers going by the name of Iridium has attacked the company’s internal network and stolen/downloaded 6TB of highly sensitive data. They leveraged a combination of tools, techniques and procedures that allowed them to conduct network intrusion so that they could get the network’s access. “Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities,” said Black, CSIO of Citrix. Hacker Tactics As per FBI, the hacker used a tactic known as password spraying and credential stuffing. Password spraying is a technique used for a cyber attack against a weak password to compromise the first level of security and then move ahead to break the additional security layer. Credential stuffing involves stealing a password from data dumps and using them to access other services compromising the security and services. This way hackers managed to access and download the sensitive files. 2 www.gsecurelabs.com Post Investigation Report Based on the investigation, Citrix confirmed that hackers had intermittent access to the company’s network between 13-October-2018 to 08-March-2019 and they have removed files from the Citrix internal system. Stolen data contains current and former employees and information about the beneficiaries, social security number and financial information. Security Measures to Prevent Such Data Breach: Enable multi-factor authentication (e.g. Google Keys) Enable captcha in some situations Blacklist the IP that originates from a few (or one) IP. Block addresses attempting to log into multiple accounts. Generate alerts for the account whose threshold limit is reached to maximum Notify users and concern teams about the unusual security events Adopt the policy of multi-step login process for (e.g. 2AF and Multi-factor Authentication) Limit the access outside the office Ban simple password and educate users to use a complex password with password managers Citrix’s Solution and Future Prevention To find a solution to this data breach and future prevention Citrix partnered with leading cyber security firm to assist their internal team with its forensic investigation. They are also cooperating with the FBI in connection with their investigation of the cybercriminals. Do you feel secure enough for your sensitive data? If no, hurry up and get free security assessment from us. 3 www.gsecurelabs.com Global HQ Maria Montessorilaan 5, 2719 DB Zoetermeer, The Netherlands India Headquarters Pune Office B/81, Corporate House, Judges Bunglow Road, Bodakdev, Ahmedabad - 380054. India. 103, Pride House, 1st Floor, S. No. 108/7, Pune University Road, Pune- 411016, India. Phone : +91 79 2685 2554 / 55 / 56 E-mail : hello@gsecurelabs.com www.gsecurelabs.com Confidentiality Clause: This document and any files with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. 4 not the intended recipient, please destroy all copies of the document. Any unauthorized review, use, disclosure, www.gsecurelabs.com If you are dissemination, forwarding, printing or copying of this document or any action taken in reliance on this document is strictly prohibited and may be unlawful. Copyright © Gateway Group