Citrix Explores a Data Breach Incident After Customers' Data Is Found for Sale Online
Citrix is one of the biggest cloud computing and software companies in the world. Its products are used by government agencies and Fortune 500 companies across the globe, so it shouldn't really be a surprise that it often falls into the hackers' sights.
The first cybersecurity incident took place in 2015 when a hacker managed to compromise one of Citrix's content management servers. Thanks in part to the huge names in the company's list of clients, the news was covered extensively by the media, but in January 2016, the networking giant explained that no customer data was compromised.
Things were a bit different in March last year when Citrix disclosed another successful attack against its internal network. Using a technique called password spraying, hackers (that were allegedly linked to Iran) compromised some internal Citrix accounts and tried to exfiltrate data that belongs to NASA and the FBI. Whether they were successful remains unknown to this day.
On Tuesday, researchers working for a threat intelligence company called Under the Breach noticed that a cybercriminal is selling Citrix customer data on an underground forum, and they thought that they were in for a déjà vu moment.
A hacker sells 2 million Citrix customer records for $20,000
The researchers got in touch with the seller to find out more about the database. During a private conversation with the crooks, they learned that the database contained the names, phone numbers, email and physical addresses, and company names of 2 million Citrix customers. They were given a sample as proof that the data is real and were told that if they want the entire database, they need to shell out 2.15 BTC, which is just under $20 thousand. When the researchers asked about the source of the data, the seller was adamant that it was coming from Citrix itself and not from a third party.
Elsewhere on the hacking forums, a threat actor was bragging about attacking Citrix as well. According to their posts, they had exfiltrated a lot of data from the company and were threatening it with a ransomware infection. Citrix, however, says that this isn't really the case.
According to Citrix, the hackers stole the data from a third party
On Tuesday, Fermin Serna, Citrix's Chief Information Security Officer (CISO), published a blog post in order to shed some light on the matter and dispel some of the hackers' claims. Serna said that the company is investigating all alerts that concern the security of its customers' data, but he also pointed out that it has so far seen "no evidence" of a compromise of Citrix's network.
The stolen records are apparently coming from a third party that works with Citrix. The said third party knows about the incident and has already kicked the intruder out. The investigation might still be ongoing, but Serna is sure that the attackers couldn't have gained access to Citrix's network through the third party. He also pointed out that the only thing the hackers could have stolen is "low sensitivity business information." So far, the publicly available evidence seems to back Serna's words, but the real conclusions can only be drawn after all the facts are available.
Yet another organization discloses a third-party breach
Not surprisingly, the third party that suffered the breach remains unnamed for now, which isn't that surprising given the fact that the investigation isn't over yet. It has to be said, however, that Citrix isn't the only company disclosing a breach at a partnering service that processes data.
Recently, LiveAuctioneers and Dunzo also reported leaks that happened because of an attack at a third-party data processing partner. Once again, the names of the breached organizations remain unknown, which means that we can't say whether there's a link between these incidents.
The LiveAuctioneers, Dunzo, and Citrix disclosures are so similar, and they're so tightly-grouped timewise, however, that we can't discount the possibility of a potential correlation.