Citrix denies dark web claim of network compromise and ransomware attack
Says third party holding some business contact information has had trouble but its own infrastructure remains safe
Citrix has taken the unusual step of rebutting dark web discourse that alleges its networks have been compromised.
A Wednesday post penned by CISO Fermin J Serna says the company is aware of a "threat intelligence report circulated concerning claims made on the dark web by a threat actor alleging compromise of the Citrix network, exfiltration of data, and attempts to escalate privileges to launch a ransomware attack."
Serna said Citrix is investigating the claims but has found "no evidence that the threat actor compromised the Citrix network."
"Rather, all the evidence thus far indicates that the source of the data referenced in the intelligence report is a third party."
That third party does, however, have some Citrix-related data. Serna described that data as "low sensitivity business contact information."
"This third party has been cooperative and responsive to our questions and direction, and has taken immediate action to isolate from the internet any Citrix related data they may have," Serna added. "Once that action was complete, the author of the threat intelligence report reported that the threat actor's unauthorized access was terminated. The third party is now conducting its own investigation and remediation, and is committed to keeping Citrix advised of any developments, and Citrix is ready to assist as necessary."
Citrix has had a tough time of it on the security front lately, with its SD-WAN and Gateway products recently found to feature nasty flaws, and a major data leak in 2019 that was later revealed to be the result of a five-month breach of the company's infrastructure.
Little wonder, then, that Serna has moved to quickly quash the new allegations of compromise.
"As recently as today, there are reports of Citrix data for sale on the dark web," the CISO added, before reinforcing that "based on our investigation, the source of this data is the same third party referenced above. Many of these reports today erroneously imply a Citrix compromise." ®