American software giant Citrix has suffered a major security breach, the company has admitted, but mystery surrounds the precise nature of the attack, after a new-on-the-scene cybersecurity company based in Los Angeles called “Resecurity” said it had alerted the FBI and Citrix to the breach and claimed an Iranian threat group was to blame for exfiltrating over six terabytes of Citrix data.

That claim resulted in extensive airtime for the company, whose president, Charles Yoo, told reporters that the breach may have first happened a decade ago and that the attackers were targeting Citrix clients whose work spans FBI-related projects, NASA and aerospace contracts and work with Saudi Aramco.

It did not offer detail on how it identified the breach. Computer Business Review has left a request for further comment with the company.

Citrix confirmed a breach had taken place: CSIO Stan Black said in a short statement: “While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents.”

He added: “The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.”

(Citrix provides desktop and application virtualisation software among other tools and services. Its portfolio includes Citrix Analytics, which claims to apply machine learning to data that “spans network traffic, users, files, and endpoints to identify and act on malicious user behavior and app performance anomalies.” Its clients include a range of federal agencies and blue chips )

Citrix Data Breach: Lateral Movement was Not Identified

Black says that the FBI believes the technique used to gain access to the American multinationals systems was “password spraying” stating that: “Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”

(It is unclear why no monitoring systems were in place that would have identified the lateral movement or indeed the large-scale data exfiltration).

Password spraying is the term associated to an attack on an account login page that uses account user names in conjunction with commonly used passwords such as qwerty12345, month/year combos or the organisations name and a number.

(The National Cyber Security Centre (NCSC) has warned about these types of attacks, saying: “These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only look at each account in isolation.”)

Threat Group Dubbed “IRIDIUM” Blamed 

Resecurity meanwhile claimed in a blog post that it had identified the breach and notified Citrix along with law enforcement in order to share an “early warning notification about targeted attack and data breach.”

The post blamed an Iranian threat group dubbed IRIDIUM and claimed in a post that the attack had included “proprietary techniques allowing to bypass 2FA authorization for critical applications and services for further unauthorized access to VPN channels and SSO (Single Sign-On)”. It did not offer further detail.

Citrix data breach

Citrix said it has brought in a “leading” cyber security company and will continue to work with the FBI on the incident. Its own statement did not mention Iran but said the FBI had advised it “they had reason to believe that international cyber criminals gained access to the internal Citrix network.”

See Also: How Magecart’s Web-Based Supply Chain Attacks are Taking Over the Web

Ojas Rege, from mobile device management specialist MobileIron said in an emailed comment: “If the FBI is correct and the source of breach was password spraying, then it’s another sign that, as an industry, we must focus on addressing the root cause of most data breaches – the inherent weakness of the password as our central means of enterprise authentication. Forcing end users to make all their passwords substantially stronger will not solve this problem.”

“Biometric authentication is the starting point because the end user now no longer has to remember passwords. The back-end credential into enterprise systems can then be made much stronger to mitigate password spraying and similar attacks, all without creating pain for the end user. This is a true win-win. The company is more secure and the end user is more productive.”

More to follow…