Bad Day for Citrix…

On March 8, it was confirmed through a statement posted by Citrix that the company’s internal network had been breached by hackers who had used password spraying, successfully using a short list of passwords on a wide range of systems to eventually identify credentials that worked. Apparently, the attackers made off with 6 TB to 10 TB of data from internal systems.

It wasn’t a surprise to hear that Citrix initially found out about the breach from law enforcement (specifically the FBI) on March 6 that it had evidence that Citrix had potentially been breached. I think the stats are still pretty high regarding organizations that are informed regarding a potential breach by law enforcement. Specifically when they are gathering intelligence on some organized crime campaign or some other organization that had been breach and come across evidence such as source IPs to indicate another organization was also hacked.

As per folks at Citrix, the attackers appear to have downloaded business documents, but the company said it’s not sure which data was breached. “At this time, there is no indication that the security of any Citrix product or service was compromised,” Stan Black, Citrix CSIO.

Interestingly enough, security firm Resecurity claims that the attack against Citrix began on October 15, 2018, used a list of nearly 32,000 user accounts, and is connected to Iranian interests.  Resecurity claim, the Iranian-linked group known as IRIDIUM has hit more than 200 government agencies, oil and gas companies and technology companies including Citrix.

Resecurity has provided a number of IOCs, including the following IPs:

Source IPs:

  • 178.131.21[].19[] (Iran)
  • 5.115.23[].11[] (Iran)
  • 5.52.14[].23[] (Iran)

Used proxies:

  • – Canada (VPN)
  • – USA (VPN)
  • – Poland
  • – Germany
  • – France (Nov 29, 2018)
  • – France (Dec 7, 2018) x 3 times
  • – Germany (Dec 7, 2018) x 5 times

To read the complete Resecurity blog post, which is quote good and full of great IOCs, please visit –


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.