Back in March, remote desktop specialist Citrix admitted hackers had romped through its core systems, and had purloined internal business documents. Now we're finding out the intrusion was much worse than first thought.
A letter [PDF] to the California Attorney General this week, required by law following a hack of this nature, states that "international cyber criminals" had “intermittent access” to the American vendor's internal network for roughly five months, between October 13, 2018 and March 8, 2019. We're told the scumbags would have been able to siphon off personal information on current and former Citrix employees, as well as some of their relatives and beneficiaries.
"This information may have included, for example, names, Social Security numbers, and financial information," Citrix warned.
And in a statement earlier this month, the biz noted how it reckons the crooks broke into its staff network:
We identified password spraying, a technique that exploits weak passwords, as the likely method by which the threat actors entered our network.
We have taken measures to expel the threat actors from our systems. Additionally, we’ve performed a forced password reset throughout the Citrix corporate network and improved internal password management protocols.
We have found no indication that the threat actors discovered and exploited any vulnerabilities in our products or services to gain entry.
Based upon the investigation to date, there is no indication that the security of any Citrix product or service was compromised by the threat actors ... Our investigation is ongoing, and it is a complex and dynamic process.
Given that the hackers managed to exfiltrate possibly as much as 6TB of data from Citrix's servers, that's a lot of potential for identity theft as well as corporate espionage. If you've worked for Citrix at any point, you could be at risk – but not to worry, because the biz has called in a white knight to protect its employees.
Well, white knight is pushing it. It's more of a heavily tarnished Halloween costume knight on a three-legged donkey. The protector Citrix has called on to provide free ID theft monitoring for its past and present staff is no less than, and nothing is less than, Equifax. You may remember Equifax as the credit-check agency looted by hackers in 2017: those crooks made off with the personal information of roughly 150 million Americans, Brits, and Canadians, thanks to Equifax's lax computer security.
Just as with Citrix, the miscreants who cracked Equifax like a fresh egg managed to spend months trawling through the agency's networks harvesting data. In the case of Equifax, hackers exploited an Apache Struts vulnerability, for which a patch was available but not applied by the company's IT team, to get in, and remained undetected thanks to an SSL certificate in the intrusion detection system that expired ten months prior.
Nevertheless, Citrix has signed up its staff for a year's free credit monitoring using the oh-so-trusty Equifax. Sleep tight. ®