Security Experts:

Citrix Says Data Sold on Dark Web Comes From Third Party

Citrix on Wednesday denied claims that its systems have been breached and says the information being sold on the dark web actually comes from a third party and it’s not very sensitive.

Data breach monitoring service Under the Breach reported on Tuesday that a threat actor was offering to sell a database containing information on 2 million users. The data was allegedly obtained after breaching Citrix systems and the asking price was $20,000.

Screenshots posted by Under the Breach show that the database apparently includes names, phone numbers, email addresses, company names, and physical addresses.

In a blog post published on Wednesday, Citrix’s CISO, Fermin Serna, said the threat actor claimed to have breached the company’s network, exfiltrated data, and attempted to elevate privileges in an effort to launch a ransomware attack.

However, Serna claims that none of this is true and the data actually comes from a third party. Citrix has found no evidence that its systems have been compromised, and pointed out that hackers couldn’t have moved from the third party’s network to its own systems.

“This third party has been cooperative and responsive to our questions and direction, and has taken immediate action to isolate from the internet any Citrix related data they may have,” Serna said. “The third party is now conducting its own investigation and remediation, and is committed to keeping Citrix advised of any developments, and Citrix is ready to assist as necessary.”

Citrix’s CISO also highlighted that the impacted third party does not possess any Citrix source code or other highly sensitive intellectual property. He claims that the company only has some “low sensitivity business contact information” that does not include passwords or other credentials.

Citrix did confirm suffering some data breaches in the past. In 2016, the company admitted that one of its marketing servers was breached the previous year, but said no customer data or other sensitive corporate information was compromised.

A more serious incident was disclosed last year, when the software giant confirmed that hackers had access to its network between October 2018 and March 2019. That attack, which the FBI attributed to an international cybercrime group, resulted in the theft of various types of information, including business documents and employee personal and financial information.

Related: Hackers Scanning for Citrix Systems Affected by Recent Vulnerabilities

Related: Attack on Software Giant Citrix Attributed to Iranian Hackers

Related: Attacks on ADC Ramp Up as Citrix Releases Remaining Patches

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.