Last week a threat intelligence report circulated concerning claims made on the dark web by a threat actor alleging compromise of the Citrix network, exfiltration of data, and attempts to escalate privileges to launch a ransomware attack.
Citrix continues to investigate those claims; however, we have no evidence that the threat actor compromised the Citrix network. Rather, all the evidence thus far indicates that the source of the data referenced in the intelligence report is a third party.
This third party has been cooperative and responsive to our questions and direction, and has taken immediate action to isolate from the internet any Citrix related data they may have. Once that action was complete, the author of the threat intelligence report reported that the threat actor’s unauthorized access was terminated. The third party is now conducting its own investigation and remediation, and is committed to keeping Citrix advised of any developments, and Citrix is ready to assist as necessary.
To be clear, as it relates to this third party, there are several important points:
- A compromise of this third party’s network does not provide a means into the Citrix network, or a vector for a ransomware attack against Citrix.
- This third party does not possess Citrix source code, highly sensitive intellectual property, or passwords or other credential information.
- The third party is only in possession of low sensitivity business contact information.
As recently as today, there are reports of Citrix data for sale on the dark web. Based on our investigation, the source of this data is the same third party referenced above. Many of these reports today erroneously imply a Citrix compromise.
Citrix will continue to work with this third party during its investigation lending support as necessary, as well as ensuring all appropriate disclosures are made.
