Security Experts:

Citrix Says Sensitive Data Not Accessed in Breach

Hacker Breached Citrix Content Management System

Citrix came forward this week to explain that a hacker who gained access to a marketing content management server did not access customer data or other sensitive corporate information.

The issue was first made public in October 2015, when a Russian hacker called w0rm published a blog a post explaining how he managed to gain access to the content management system on the Citrix network. The hacker previously claimed attacks on the systems of BBC, Vice, and the Wall Street Journal and offering the stolen databases for cash.

Despite happening almost three months ago, the breach made it to the headlines only this week, when Citrix decided to offer its own perspective on the matter. In a blog post, the company confirmed the breach, but did not offer info on how it was possible, while the hacker explained in October that he managed to access the company’s system using username press[at] and password Citrix123.

Citrix is a software company focused on bringing together virtualization, mobility management, networking, and SaaS solutions. The company claims to be offering secure, mobile workspaces so that people can enjoy instant access to apps, desktops, data and communications on any device, over any network and cloud.

According to w0rm, who also published the information on the Antichat forum, the breach allowed him to exploit various security flaws to access the company's administrative system including the remote assistance system. Moreover, he claims that the privileges of the account he used to access Citrix allowed him to modify content and to make changes to the configuration of key services in the system in real time.

The hacker also published a series of screenshots suggesting that he was able to access user data on the compromised server and that he discovered system vulnerabilities that would allow a hacker inject HTML code and modify packages sent to users. He suggests that an attacker taking advantage of the security flaws in Citrix’ network would be able to compromise the company’s entire user base.

The hacker claims to have informed Citrix on the issue back in October and to have received no response from the software company, which determined him to go public with the findings. He also suggests that the idea behind the breach was to discover vulnerabilities in Citrix’ system and not to do harm.

According to Stan Black, Chief Security Officer at Citrix, the hacker indeed managed to breach a Citrix marketing content management server, but was not able to compromise customer data in any way. Black notes that the server was configured for easy access to web site content and marketing campaign materials and that it was used to stage content for the GoTo family of web sites.

He also says that no customer, employee or other sensitive or confidential information is stored on the compromised server, and that while anonymous access to content is available, it does not offer the necessary privileges to write metadata changes to production. The hacker was not able to modify production web site content, web server configurations, or access internal Citrix systems, he says.

Black also explains that the hacker identified both a password to a ShareFile account that contained images and marketing materials already made public, and an application programming interface token for the read-only rights to this ShareFile account. However, he notes that no customer, employee, or other sensitive or confidential data was exposed.

The company's CSO also says that the company has reconfigured the compromised server and changed the administrative passwords, and that they disabled the unused ShareFile account and revoked the read-only API key to this account. He also notes that the company does not have evidence that the hacker accessed other systems within Citrix’ network.

The incident, however, brings the issue of insecure or outdated corporate web applications back to the spotlight Ilia Kolochenko, CEO of High-Tech Bridge, told SecurityWeek in a statement.

In 2012, together with Frost & Sullivan, the company published a white paper explaining that insecure or outdated corporate web applications are involved in 4 out of 5 network intrusions. According to Kolochenko, however, few companies took made changes to their web application security priority in their risk strategies.

“People prefer to spend on mysterious APTs and other highly exaggerated threats, leaving main doors to their companies (web apps) open to everyone. We need to understand that modern web application is not just a website, but a direct access to internal and highly sensitive infrastructure,” Kolochenko said.

“The Citrix compromise is not even about weak passwords, it's about the catastrophic level of web security in general. Such business-critical web application shall never be accessible from the outside without IP fileting and Two Factor Authentication. I don't even speak about proper privilege segregation and access control within the application,” he added.

Kolochenko also noted that companies need to “wake up,” otherwise they would spend millions trying to prevent the wrong threats, while hackers would still be able to steal everything via forgotten web applications.

view counter