Iranian Group Stole 6TBs of data from Citrix
(Mar 11, 2019)
"IRIDIUM," an Iranian-related threat group has been attributed to a cyber espionage campaign against governmental organisations, oil and gas, and technology sectors that resulted in 6 terabytes (TB) of data being stolen from the software company, "Citrix." According to researchers from the company, "Resecurity," the attack occurred around Christmas 2018 and used "proprietary techniques designed to bypass two-factor authentication systems, and methods to access VPNs and single sign-on (SSO)." Information stolen includes e-mail correspondence, files in network shares, and other services used for project management and procurement.
Recommendation: While it is unclear how the threat group obtain access to the networks, it is believed they may have password-sprayed a various accounts. Password spraying occurs when several users use weak passwords, very similar to brute force attacks. It is crucial to use secure and strong passwords, and to ensure that you do not use the same password for multiple accounts. Networks should be segmented to prevent an unauthorised user from gaining access to the full system.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.