Supply Chain – The Major Target of Cyberespionage Groups
Resecurity has shared the acquired intelligence with law enforcement and partners for mitigation.
Friday, December 28, 2018 at 10:25 AM – Resecurity reached out to Citrix and shared an early warning notification about a targeted attack and data breach. Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period.
The incident has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state due to strong targeting against government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy.
Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct a targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.
The arsenal of IRIDIUM includes proprietary techniques allowing to bypass 2FA authorization for critical applications and services for further unauthorized access to VPN (Virtual Private Networks) channels and SSO (Single Sign-On).
We forecast a continued growth of targeted cyber-attacks on supply chains of government and large enterprises organized by state-actors and sophisticated cyberespionage groups.
Updated (4:49 PM Monday, March 11, 2019 PDT)
Below are the indicators of IRIDIUM activity available for disclosure (for today). We will update the list with new information once it becomes available.
We would like to thank the following organizations for their timely assistance and collaboration regarding the malicious network activity during the Winter 2018 period: DHL, NBC (National Bank of Canada), Skrill, PayPal and Canadian Centre for Cyber Security.
18.104.22.168 – Canada (VPN)
22.214.171.124 – USA (VPN)
126.96.36.199 – Poland
188.8.131.52 – Germany
184.108.40.206 – France (Nov 29, 2018)
220.127.116.11 – France (Dec 7, 2018) x 3 times
18.104.22.168 – Germany (Dec 7, 2018) x 5 times
(The list will be updated)
Updated (5:09 PM Monday, March 11, 2019 PDT)
The Global Access List (GAL) acquired as the result of password-spraying (on Citrix employee accounts), which is a type of attack for brute-forcing and credential-stuffing, includes 31,738 records. The threat actors leveraged it for further reconnaissance and accounts compromise. Based on our analysis, one of these elevated actions was conducted on Monday, October 15, 2018 at 1:57 AM.
Password-spraying was one of the most commonly used techniques by Mabna Institute hackers and their associates during the early stage of the attacks to gain a foothold in the victim’s environment. More information about their techniques is available in FBI Flash Alert (ME-000092-TT):
- Leveraging the initial group of compromised accounts, download the Global Address List (GAL) from a target’s email client, and perform a larger password spray against legitimate accounts.
- Using the compromised access, malicious actors attempt to expand laterally (e.g., via Remote Desktop Protocol or other means) within the network, and perform mass data exfiltration.
Updated (8:55 PM Monday, March 11, 2019 PDT)
As a result, threat actors conducted network intrusion to access data in Citrix infrastructure remotely.
– Azure AD and ADFS best practices: Defending against password spray attacks
– Spray you, spray me: defending against password spraying attacks