On March 8, it was confirmed through a statement posted by Citrix that the company’s internal network had been breached by hackers who had used password spraying, successfully using a short list of passwords on a wide range of systems to eventually identify credentials that worked. Apparently, the attackers made off with 6 TB to 10 TB of data from internal systems.
It wasn’t a surprise to hear that Citrix initially found out about the breach from law enforcement (specifically the FBI) on March 6 that it had evidence that Citrix had potentially been breached. I think the stats are still pretty high regarding organizations that are informed regarding a potential breach by law enforcement. Specifically when they are gathering intelligence on some organized crime campaign or some other organization that had been breach and come across evidence such as source IPs to indicate another organization was also hacked.
As per folks at Citrix, the attackers appear to have downloaded business documents, but the company said it’s not sure which data was breached. “At this time, there is no indication that the security of any Citrix product or service was compromised,” Stan Black, Citrix CSIO.
Interestingly enough, security firm Resecurity claims that the attack against Citrix began on October 15, 2018, used a list of nearly 32,000 user accounts, and is connected to Iranian interests. Resecurity claim, the Iranian-linked group known as IRIDIUM has hit more than 200 government agencies, oil and gas companies and technology companies including Citrix.
Resecurity has provided a number of IOCs, including the following IPs:
Hello All. Looks like Macy’s is the latest retailer to get hit be cyber criminals. Macy’s mentioned last week that attackers had obtained the names and passwords of some customers and may even have gained access to their credit card numbers and expiration dates, though not the CVV2 codes, which it does not store. Macy’s claims that the breach was small in scale, only affecting approx. 0.5% of customers registered on macys.com or bloomingdales.com. The breach apparently occurred between April 26 and June 10. On June 11, Macy’s detected the suspicious activity and soon after blocked the profiles in question. Macy’s said it has contacted the affected customers and will provide consumer protection services free of charge.
With a string of retail breaches since Target and Home Depot years ago such as Adidas a few weeks ago, HBC (Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor stores) as well as companies hit by breaches in the last year such as Sears and Kmart, Whole Foods, and Under Armour, it doesn’t look like there is any end to the breaches and that organizations aren’t implementing strong enough controls to protect the valuable customer data they are custodians of.
As per the US DHS Office of Inspector General (OIG), in what they are referring to as a “privacy incident” identified in May, 2017 have been hit with an insider breach which has resulted in the data leak of approximately 247,167 current and former DHS employees. It also included an unspecified number of subjects, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014. The data was found on the home computers of one of the three identified insiders.
The data included:
Names, Social Security numbers, dates of birth, positions, grades, and duty stations of the employees, and
Names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, and addresses of individuals associated with investigations, as well as any personal information they provided in interviews with DHS OIG investigative agents.
According to the OIG, “the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.”
The folks at DHS have noted that they did not send out the notices before December 2017 because “the investigation was complex given its close connection to an ongoing criminal investigation.” Essentially, it took them until November to finish the forensic analysis of the compromised data an assess the risk to affected individuals.
Hello All. So the news is making the rounds. Not only did Uber get breached in 2016 affecting 57 million users, but they covered it up by paying the hackers responsible $100,000 to keep quiet and destroy any evidence of the event.
Uber acknowledged on Tuesday that two individuals in October 2016 had accessed and downloaded data on 57 million Uber riders and drivers that was stored in a third-party infrastructure system. The company says none of its own systems were breached.
As part of the cyber-attack, the names and driver license numbers of around 600,000 drivers were accessed, according to Uber. 57 million Uber users also had their information exposed, including names, emails, and mobile phone numbers, the company said in a blog post. Uber said other personal information, including trip details or credit card information, was not accessed.