back to article Iranian-backed hackers ransacked Citrix, swiped 6TB+ of emails, docs, secrets, claims cyber-biz

Citrix today warned its customers that foreign hackers romped through its internal company network and stole corporate secrets. The enterprise software giant – which services businesses, the American military, and various US government agencies – said it was told by the FBI on Wednesday that miscreants had accessed Citrix's IT …

  1. chivo243 Silver badge

    The answer is in the article

    "Citrix has an extremely large portfolio spread across a number of sectors in the enterprise IT market."

    ^^^ would make a nice list of targets?

  2. DarkLordofSurrey

    I wonder Huawei might be... would fit a Trump narrative.

    1. Pascal Monett Silver badge

      In any case, this amply demonstrates that Huawei is not the major threat. Weak passwords and insufficient network security is.

      And this with a company that specifically does networking. That doesn't look good for their reputation.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        @Pascal Monett

        100% agree - Its still not taken seriously anywhere I've worked. Up until a few months ago, I worked for one of the UK's biggest consumer services, and their password security is piss poor. No sanity checking, no MFA, no verification, no notifying customers when there account is accessed - there really is no excuse, even simple steps such as checking new passwords against known compromised credential combo's would be a game changer - I won't even cover the worst bit (zero effort to prevent or detect exfiltration).

        To be fair, the security team are trying to change this, but it's slow going, the senior leadership just have one mantra "customer journey and conversion".

        A/C and no mention of company, as I'm fairly certain my contract had covenants against it.discussion/disclosure.

        1. Anonymous Coward
          Anonymous Coward

          And, not likely to change...

          unless and until there are significant penalties for such laxity, and significant rewards for being in the lead. How? Maybe a public register of all companies and their "security score", built from 0 up by expert independent graders, with points given for demonstrated security features. Companies not willing to be evaluated will get a hex-rating. If one chooses to go with the cheapest, with a relatively low score, then one deserves to get burned.

          1. Doctor Syntax Silver badge

            Re: And, not likely to change...

            "unless and until there are significant penalties for such laxity"

            There are but they only come into play after the event.

            There's need for pro-active inspection. Let's say a scoring system for the types of PII held and a need for audit-requiring certification where the total score over all the data subjects exceeds some minimum. If a business doesn't want to get into certification and the consequent regulation then it can dial down what PII it holds.

            Yes, I can imagine the complaints about the cost of regulation but the fact is that far too many have failed to put procedures in place without regulation. It's a requirement that businesses have brought on themselves. I've written here many times that experience is a dear teacher but there are those that will learn by no other. If it was simply the likes of Sony and Citrix having their internal documents raided it wouldn't matter but when it's the likes of Equifax and Verification.io spilling millions of customer or 3rd party details it's too late for such businesses to learn by experience.

      3. Anonymous Coward
        Anonymous Coward

        "Huawei is not the major threat"

        I disagree - Huawei are a major threat. If there current progress towards 5G systems continues, they will likely devastate existing European, US and Japanese telecoms vendors leaving only the Chinese vendors capable of offering single vendor solutions. Ericsson have admitted as much publicly and blamed it on EU regulations limiting investment (read as EU laws preventing states propping up companies that are struggling in the marketplace).

        "And this with a company that specifically does networking. That doesn't look good for their reputation."

        Logged a case with Citrix where you gave them certificate keys to decrypt TLS sessions? Time to change those certificates...

        1. Doctor Syntax Silver badge

          "I disagree - Huawei are a major threat."

          This wasn't a Chinese company, it was a US one.

          The US needs to get it's own house in order before it starts on others. Crude attempts to deflect attention elsewhere don't cut it.

          1. Doctor Syntax Silver badge

            "it's"

            Aaaargh!

          2. Anonymous Coward
            Anonymous Coward

            My point is that security is not the immediate issue with Huawei - it's about the significant market headstart that Huawei has at present for 5G. i.e. Huawei hope to have an end-to-end system commercially available by late 2019/early 2020 while their western competitors are talking end of 2020/beginning of 2021.

            The telecommunications sector has seen significant consolidation over the last 20 years - Huawei/ZTE COULD become the only two major players after 5G with the other players providing components in the larger solution if Huawei/ZTE don't produce them in-house.

            Would that create a security issue for western governments? Possibly. It would certainly create a strategic issue if western governments wanted to implement a blockade on China in the event of a Ukrainian-style invasion.

            But this is very much an economic issue (i.e. Huawei/ZTE become the dominant market players, with other vendors unable to justify the significant levels of investment to produce competing products) at present.

            1. Doctor Syntax Silver badge

              "with other vendors unable to justify the significant levels of investment to produce competing products"

              If other vendors face being pushed out of the market it didn't ought ot be too difficult to justify the investment. Oh, silly me. We'll still be OK for a few more quarters without it and who looks further ahead than that?

              1. Anonymous Coward
                Anonymous Coward

                If Huawei win the bids that are likely to go their way from either incumbents or telco's unhappy with their existing vendor because the delays may make them less competitive, I would guess Huawei will get around 60%-75% of the 5G market.

                Aside from ZTE that is still growing, the other vendors are likely to struggle to re-coup their 5G investment.

                6G will likely increase the required investment cost again and with dwindling revenues from 3G/4G support, committing to that will be tough. And without mobile, just how viable are the rest of the telecoms vendors businesses?

  3. Anonymous Coward
    Anonymous Coward

    "Dear President Trump, we would like to extend a free year of credit monitoring to you...."

    1. Anonymous Coward
      Anonymous Coward

      "a free year of credit monitoring" sounds like an excellent means of obtaining his tax returns...

  4. GrapeBunch Bronze badge

    Lemon tree very pretty.

    1. Andrew Barr

      Correct horse battery staple

  5. Mark 85 Silver badge

    Why is it that seem not have "outside security consultants" to see if they're breechable? Costs and profits drive this behavior and the companies breeched never seem to have any fallout. And so another day, another data breech and theft reported.....

  6. adnim Silver badge

    WTF

    They didn't know. A third party had to tell them?

    Did I misread the article?

    1. Nate Amsden Silver badge

      Re: WTF

      The article says the 3rd party was the FBI. So not surprising they didn't know if the FBI told them. I saw a stat a few years ago and it said something along the lines of intruders have network level access for on average about 190 days before being detected(stat was quoted by the then-CTO of Trend Micro). I think the number of days has been going up slightly as well in recent years.

      The one thing that the article doesn't specifically cover is how much/if any of the source code was taken. They say corporate network, I have no idea if that includes development stuff or not.

      Security is a hot topic these days but for the foreseeable future it will continue to be a losing battle for just about everyone(especially with state actors, APTs etc), not a game I'd like to play.

      1. John Savard Silver badge

        Re: WTF

        Actually, an information security firm Resecurity notified both Citrix and the FBI. Unless Citrix had hired them to have a look at their systems, it's rather surprising to me that Resecurity knew about this first.

        1. egreen99

          Not surprising to me

          Security people are often coming across hoards of data from other firms on the dark web while tracking down their own client's lost data. They then report the intrusion to the FBI and to the company that this data comes from -- companies like Resecurity have friendly contacts within the FBI and in many corporate security departments for exactly that purpose. It's a fairly insular business where most of the major players know each other, share latte's and/or beers with each other on a regular basis at various conferences, etc., and most of the major players both in the independent consultancies and in the major corporations know each other.

          1. id3ego2

            Re: Not surprising to me

            And please lets remember this is a state-sponsored cyber-terrorist group-- they are being tracked by any major or minor security firm AROUND the world. so totally not surprising resecurity came across the info...

  7. John Savard Silver badge

    Sensitive Data

    The sensitive data is presumably only in Iran.

    So the first step would be to cut all communications links to Iran, so no copies of the data can be sent out of the region.

    Then conduct a house-to-house search of the entire country. Of course, that will require inactivating the existing regime. But the United States has adequate tools to carry out that job.

    After all, it's not as if we were dealing with Russia or the People's Republic of China.

    So I fail to see the problem.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sensitive Data

      Oh. How cute. You think they need dial up to move a couple of TB of data. And that they could not move it next door with an ssd or use a sat link to bypass your coutry wide net cutoff?

      Do you also write letters to Santa?

      1. Craig 2

        Re: Sensitive Data

        Let this be a lesson on what happens when you think there's no need to use the joke icon. :)

        1. John Savard Silver badge

          Re: Sensitive Data

          I do recognize that regime change in Iran would present practical challenges. But since Iran is not a democracy, I don't see that taking down the country the way the police would take down the home of a suspected hacker poses a moral issue.

          The government of Iran has conspired to commit a breach of U.S. law on U.S. soil. Information which should not get into the wrong hands has gotten into the wrong hands. Correcting that would help send a message that might help to prevent it from happening again.

          1. Potemkine! Silver badge

            Re: Sensitive Data

            But since Iran is not a democracy, I don't see that taking down the country the way the police would take down the home of a suspected hacker poses a moral issue.

            Us is not a democracy either, barely a plutocracy. So should other countries promote a regime change in the US?

        2. tip pc Bronze badge

          Re: Sensitive Data

          It’d be interesting to see how maby American readers took that literally. I’m guessing somewhere north of 90%

        3. Anonymous Coward
          Anonymous Coward

          Re: Sensitive Data

          I'm still not convinced they are joking.

          Like flat earthers, hard to tell where their brain is broken.

      2. EH

        Re: Sensitive Data

        r/woosh?

        1. Doctor Syntax Silver badge

          Re: Sensitive Data

          "r/woosh?"

          Apparently not.

  8. Anonymous South African Coward Silver badge

    Wait, what?

    Citrix's own 2FA systems was not up to scratch to keep ne'er-do-wells out of their systems?

    Says a lot.

    1. Roland6 Silver badge

      Re: Wait, what?

      the FBI thinks it was by brute-forcing weak passwords

      Which would also suggest their account management policies are also not up to scratch.

      I mean, they did enable the standard OS processes to both guard against repeated failed login attempts and to flag such activity...

  9. Anonymous Coward
    Anonymous Coward

    Quote from January 25 1999 -- Twenty years ago

    "You have zero privacy anyway," Scott McNealy told a group of reporters and analysts Monday night at an event to launch his company's new Jini technology.

    "Get over it." Wired Magazine.

    ****

    At the time, it seemed that the industry might pay attention and DO SOMETHING ABOUT THE THREAT. Clearly not!

  10. Anonymous Coward
    Anonymous Coward

    Ah...those naughty Iranians...how dare they!

    Of course the NSA or GCHQ would NEVER do anything like that! For example, say, in Belgium:

    - https://www.theguardian.com/uk-news/2018/sep/21/british-spies-hacked-into-belgacom-on-ministers-orders-claims-report

    1. John Savard Silver badge

      Re: Ah...those naughty Iranians...how dare they!

      So? The United States and Britain are both nations with free elections, a free press, and the rule of law. Of course they have to have intelligence agencies to defend themselves against tyrannies like Hitler's Germany or Stalin's Russia. It's when tyrants use their spies to commit acts of aggression that it's wrong.

      1. EH

        Re: Ah...those naughty Iranians...how dare they!

        The elections are not free - they have to be bought.

      2. Doctor Syntax Silver badge

        Re: Ah...those naughty Iranians...how dare they!

        "Of course they have to have intelligence agencies to defend themselves against tyrannies like Hitler's Germany or Stalin's Russia."

        Your clock appears to be several decades slow.

  11. bazza Silver badge

    6+ Terabytes?

    Well, someone's got a nice fat Internet connection...

    1. TRT Silver badge

      Re: 6+ Terabytes?

      Well that's 6 TehranBytes of information now...

      1. bazza Silver badge
        Coat

        Re: 6+ Terabytes?

        I think you left this icon behind!

  12. Hans 1 Silver badge
    Joke

    At this point, Citrix reckons the intrusion was limited to its corporate network, and thus believes customer records and data were not stolen nor touched.

    Yeah, customer records and data are on some world-readable cloudy bucket, somewhere.

    1. Erik4872

      Citrix Cloud

      What will be very interesting to see is what happens with Citrix Cloud. Presumably with full access to the corporate network, there have been a bunch of secrets uncovered, including methods for accessing customer environments. Citrix has been trying extremely hard to get customers subscribing to its software and taking the next step and hosting the control plane in Citrix Cloud. I doubt this is even going to register with decision makers, but techies might think twice.

      There's no shortage of juicy targets...finding a zero day to access customers' environments would be a big win. Basically every hospital runs every Citrix product they ever released, and those Windows applications that XenApp/XenDesktop deliver tend to be line-of-business stuff where all the money and transactions are kept.

      Fighting against security issues is a losing battle. No one cares because it costs more money and makes everything more inconvenient. But, I guarantee the CEO of most companies has the password "12345" both on his luggage and his corporate AD account. I've worked in places where we have to carve out password policy exceptions for executives because they just don't care. It would take something like credit card processing being down for a month or Facebook being offline for a week to get normal people to sit up and notice this in the current environment.

      1. aks Bronze badge

        Re: Citrix Cloud

        This relates to Citrix but who believes that the issue is restricted to that cloud provider?

  13. _LC_
    Pirate

    Aren't you too embarrassed at some point to keep making headlines with propaganda like this?

    The Iranians, North Korea - whoever you point the finger at, isn’t it? Guess what? Nobody’s believing any of this anymore.

  14. carl0s

    Citrix knew about this on 2nd December

    Monday morning of 3rd December, all users of Citrix ShareFile, including clients of users, (e.g. every client of an accountancy firm that uses ShareFile to send secured emails to their clients) were unable to log in to ShareFile. Some of these users use ShareFile as their 'cloud network drive' (sigh), some just for sending secure emails, or rightsignature documents.

    After a while it became apparent that Citrix had forced a password reset for all accounts.

    Explanations from Citrix were at first missing altogether, and then those that did come were conflicting.

    My own opinion was that a data breach had happened and Citrix were not being open about it.

    https://www.reddit.com/r/Citrix/comments/a2qs6p/sharefile_password_resets/

    https://www.reddit.com/r/sysadmin/comments/a2ozk3/was_sharefile_citrix_compromised/

  15. Walter Bishop Silver badge
    Mushroom

    Remote-desktop giant hacked using remote-desktop software?

    Remote-desktop giant hacked using remote-desktop software and had to wait for the FBI to tell them about it. Why is it that these cyber criminals are only ever from one of China/Iran/North Korea ..

    1. Korev Silver badge
      Joke

      Re: Remote-desktop giant hacked using remote-desktop software?

      Do you think they're trying to Metaframe someone?

    2. tfewster Silver badge
      Facepalm

      Re: Remote-desktop giant hacked using remote-desktop software?

      I can believe China has the technical capabilities. Iran and Noth Korea, not so much* - but feel free to enlighten me. Except they're conveniently Anti-American and not big enough to be a threat in other ways.

      * It seems more likely that they're weak enough on CyberSecurity to allows them to be used frequently for false-flag operations.

  16. TRT Silver badge

    I'm trying to think of words to describe this...

    But I can only come up with "Ouch! Ooooooohhhh...."

    1. bazza Silver badge

      Re: I'm trying to think of words to describe this...

      Possibly even f***************************k...

  17. ChrisC
    Facepalm

    Citrix security turns out to be a lemon...

    And this is why some of us continue to adopt a "luddite" approach to embracing the wonders of The Cloud - as convenient as it can be to just stick stuff online and access it from wherever, sometimes it's just better to keep things local and do away with a) the need to have a reliable connection to the cloud service in order to get to your stuff and b) the need to rely on someone else's security policies to keep your own stuff safe.

  18. Roopee
    FAIL

    That would be the Citrix...

    ...that owns Duo Security...?

    1. Steven 1

      Re: That would be the Citrix...

      Errrr no I believe that would be Cisco.

  19. Dedobot

    Stuxnet was fun and game , now when the victim try to retaliate in same manner- oh ! the horror :-)

    1. Anonymous Coward
      Anonymous Coward

      That's bullcrap. The perp wasn't Citrix.

      I don't care that they got hacked, but your comment displays fundamental cluelessness.

  20. Bucky 2

    A corporate network

    The term, "corporate network", used to mean a portion of the corporate network that doesn't include distribution, together with the "weak passwords" comment, makes me think it's only fancy offices that were affected.

    Full of business types who see network security strictly as a revenue stream.

    Such a situation wouldn't surprise me enough even to be disillusioned.

  21. Velv Silver badge
    Mushroom

    Just waiting to find out how the orange baboon turns this into a reason to nuke Iran. It’s “state sponsored warfare” after all.

  22. Pusle

    How do they know

    How can they tell it's this group? And how do they know it's backed by Iran? The hackers left a calling card in Farsi??

    1. Roland6 Silver badge

      Re: How do they know

      >How can they tell it's this group?

      Well, given the volume of data suspect the relevant agency knew about the attack some while back. They then been 'monitoring' communications to learn about tactics and targets and having determined the group are based in Iran and thus beyond reach, have decided to inform people...

  23. joegwill

    citrix

    shitrix

  24. Compuserve User
    Go

    Will we see some competitive Citrix alternatives in the coming months?

    1. Anonymous Coward
      Anonymous Coward

      Citrix alternative

      There was one, vWorkspace. Originally by Provision Networks, bought by Quest, in turn bought by Dell. Once Dell bought EMC and a stake in VMWare, they killed it as it competed (too well) with VMWare Horizon.

      Shame as it was a decent product. Really easy to manage. It was also the first product that basically treated VDI as a single user terminal server and managed them both in exactly the same way. Citrix had two products for VDI and RDS, while VMWare just ignored RDS and tried to convince every one that VDI was perfect for all scenarios. They have since both copied the vWorkspace approach.

    2. Neil Williams
      Linux

      Sun Secure Global Desktop

      Does Sun Secure Global Desktop still exist?

      Must be good, it has the word “secure” in the title ;-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Sun Secure Global Desktop

        I had to deploy that when it was still called Tarantella.

        I still have nightmares.

        1. _LC_
          Joke

          Re: Sun Secure Global Desktop

          Understandably:

          https://www.youtube.com/watch?v=CM-B_KL3PFI

        2. Anonymous Coward
          Anonymous Coward

          Re: Sun Secure Global Desktop

          Made in Leeds/Cambridge. Oh happy days (late nineties - mid noughties).

  25. ralpherns

    Password spraying is soaring these last months. Yesterday we received 243 attempts. Today we have already suffered 206. All coming from hacked systems using different offending IPs. All of them are now in our Offending IPs list. We do believe an effective online security begins with the best perimeter security.

  26. Anonymous Coward
    Anonymous Coward

    Citrix is a security company

    It kind of sucks to have this happen when you are trying to position your company as a security company. How did this breach not get detected by the wonderful Citrix Analytics? So much for the Citrix Secure Gateway. If employee accounts were hacked then the hackers got access to admin accounts for Citrix Cloud and could have then accessed customer data. How embarrassing that Citrix had to be informed by the FBI that they had a breach.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019