Citrix provides update on
alleged network compromise
Fermin J. Serna, Citrix
July 15, 2020
week a threat intelligence report circulated concerning claims made on
the dark web by a threat actor alleging compromise of the Citrix
network, exfiltration of data, and attempts to escalate privileges to
launch a ransomware attack.
Citrix continues to investigate those claims; however, we have no
evidence that the threat actor compromised the Citrix network. Rather,
all the evidence thus far indicates that the source of the data
referenced in the intelligence report is a third party.
This third party has been cooperative and responsive to our questions
and direction, and has taken immediate action to isolate from the
internet any Citrix related data they may have. Once that action was
complete, the author of the threat intelligence report reported that the
threat actor’s unauthorized access was terminated. The third party is
now conducting its own investigation and remediation, and is committed
to keeping Citrix advised of any developments, and Citrix is ready to
assist as necessary.
To be clear, as it relates to this third party, there are several
compromise of this third party’s network does not provide a means into
the Citrix network, or a vector for a ransomware attack against Citrix.
This third party does not
possess Citrix source code, highly sensitive intellectual property, or
passwords or other credential information.
The third party is only
in possession of low sensitivity business contact information.
As recently as today, there
are reports of Citrix data for sale on the dark web. Based on our
investigation, the source of this data is the same third party
referenced above. Many of these reports today erroneously imply a Citrix
Citrix will continue to work with this third party during its
investigation lending support as necessary, as well as ensuring all
appropriate disclosures are made.