Citrix Discloses Security Breach of Internal Network

Citrix disclosed today a security breach during which hackers accessed the company's internal network. In a short statement posted on its blog, Citrix Chief Security Information Officer Stan Black said Citrix found out about the hack from the FBI earlier this week. From a report: "On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network," Black said. "While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security," the Citrix exec added. Black said hackers accessed and downloaded business documents, but Citrix wasn't able to identify what specific documents had been stolen at the time of his announcement today.

My work slogan: Citrix is a bad idea.

[jellomizer]

I know Citrix is a godsend for people who have to deal with Software Deployment and updates. But it is really just a gross hack to make software accessible over the network that were never designed to be such. On most Citrix Setups I am able to get more access to apps that I wasn't given permission for. Mostly due to the fact that Windows security wasn't designed for Citrix in mind. A right click here, view file path, or a help file that opens IE. I now have access to applications on the server that I wasn't really meant to have.

If you think Citrix is a good idea, then you probably should be looking at different software, such as more Web Based (HTML) Application. Because you will be better off.

Re:My work slogan: Citrix is a bad idea.

Sometimes Citrix is the answer because there's some dogshit legacy app that you're stuck with. It's not a good idea, it's just barely tolerable.

Re:My work slogan: Citrix is a bad idea.

That is my work slogan too.
I work for VMware ;0

Re:My work slogan: Citrix is a bad idea.

[CaptainDork]

Another cute trick is to disable the goddam network card.

I did that a lot and the custodians were never aware.

It created a lot of problems and a few techs tightened things up and accidentally protected the card, but most never learned.

Re:My work slogan: Citrix is a bad idea.

[gweihir]

Oh? I use SSH for remote development and updates. Citrix is a symptom of an inferior system that is unsuitable for professional work.

Re:My work slogan: Citrix is a bad idea.

We implemented Citrix at work and it's a giant Piece of SHIT! Of course it's how it was implemented I'm sure. They have had all kinds of issues with it. They brought in a consultant to help out. He told them they needed to tear it all down and start all over again. He was told they didn't want to do that and wanted the consultant to "clean up the mess" and just make it work. The Consultant told them there was no way in hell he was going to try to make the thing work as it will never work properly. He promptly left for a different contract....

Re:My work slogan: Citrix is a bad idea.

Sometimes Citrix is the answer because there's some dogshit legacy app that you're stuck with. It's not a good idea, it's just barely tolerable.

Where I worked we used Citrix because we had several apps that required IE6. We didn't want IE6 on any user's desktop, much less on all 15,000 desktops. You can lock down the server hosting the IE6 app in ways that you could never do to a general purpose user's desktop.
It's also great if you have multiple apps from multiple vendors that each had a strict requirement for some specific JAVA version, but no two apps seemed to want the same version. And the required version was constantly changed with updates, but they never seemed to require the most recent JAVA. Just put each app on its own Citrix Server, it's a heck of a lot easier than keeping track of JAVA versions on all the desktops.

That being said, Citrix sucked on 32 bit servers due to Windows resource constraints such as GDI table sizes. I well understand Citrix hatred from people who had to support Citrix in the 32bit days.

Re:My work slogan: Citrix is a bad idea.

Oh? I use SSH for remote development and updates. Citrix is a symptom of an inferior system that is unsuitable for professional work.

Using Citrix for remote development and updates? It sounds like you're just using it for a remote desktop. That's actually retarded.

Re: My work slogan: Citrix is a bad idea.

Citrix or regular fat client, you need 3rd party application control and privilege management to lock down desktops and published apps properly. Citrix VAD is the image management and remoting protocol solution. And it can be great solution (yes I work with Citrix products as a consultant ;-) for sure). More like Windows security wasn't designed for security :p

Re: My work slogan: Citrix is a bad idea.

[jellomizer]

Citrix is a hack for a bad development model that was popular during the 1990s.

Re:My work slogan: Citrix is a bad idea.

[TheRealMindChild]

Windows security wasn't designed for Citrix in mind

Not arguing the usefulness or effectiveness of Citrix software, but Citrix is responsible for Windows Terminal Services and has been since NT4. They wrote it. It is very much part of Windows and pretty much always has been

Re:My work slogan: Citrix is a bad idea.

I use SSH for remote development and updates. Citrix is a symptom of an inferior system that is unsuitable for professional work.

How is the ASCII porn business doing these days?

Re:My work slogan: Citrix is a bad idea.

[DarthVain]

As someone that's done all that for the last 20 years for apps that have been around for 20 year prior to me, "tolerable" perhaps in the modern sense, but in comparison the the "dogshit legacy app" it might be considered considerably more. Citrix is a vast improvement over what existed, which perhaps isn't saying much, but still.

That said, to the previous poster, yes I've seen the security stuff first hand. I don't exactly advertise it to users, but it's there, every now and again I accidentally "oh hello there server I'm not supposed to have access to". Users I'm sure randomly save garbage there by accident and then get confused when they can't find it locally.

Another weird Citrix thing I've noticed is it apparently doesn't really like when users have multiple monitor setups with different resolutions... Gets pretty wacky if you do.

Anyway as the local "legacy app guy" its a stopgap measure for sure to actually replacing the apps with something a bit less "vintage", however in almost all cases that takes a ton of time, effort, and money and if you have a lot of them not really something to can do easily never mind all at once. As the parent posted, I remember having to manage local installations for a very large organization with this legacy stuff and evolving technology and it was a real nightmare, never mind trying to get development releases out to at least have the thin veneer of keeping those apps somewhat "modernized" or at least useful. Just having total control over the environment is a pretty big deal by comparison...

Lastly, yes while the Citrix security is a bit iffy, it actually improves real security by simply being a man in the middle. Previous with local installs of these sorts of apps, if you knew what you were doing, you could find all the direct connection details in your local TNS and INI files if you knew where to look, now at least that stuff isn't stored locally anymore (You'd have to take the extra step of bypassing the Citrix security also lol, which I know doesn't sound like much, but it kinda is as it was just sitting all right there for anyone to see if they really wanted to)...

Citrix ...

[CaptainDork]

... didn't know they had been hacked and, when informed that they were breached, didn't know what the hackers got.

Clueless.

Re:Citrix ...

[gweihir]

And they were apparently compromised because somebody from outside got in using a weak password. Criminally negligent is what I call that.

Why would anybody hack Citrix?

[gweihir]

They have nothing of value to steal. Must have been a practice attack or somebody that was forced to user their products and wants revenge for that.

Ext4 log

If Citrix used ext4, they would have a log of which files were accessed, and when. Actually Linux provides that information no matter what the file system is. The system administrators must be fairly incompetent not to be able to recapture that information.

For security on a PRIVATE lease-line? apk

For security on a PRIVATE lease-line (e.g. fractional T1 etc.)? More secure vs. "over-the-public web" transit by far. I did a few enterprise class apps in MSVC++, Delphi & VB over Citrix in my time circa 1994-2000 for Fortune 500's on down who used that method & it worked.

* Are there "catch-22"'s vs. "normal code"? Yes. Multi-user ALMOST killed the original project since it was "new to us" (even my senior dev) & the 'fixes' CITRIX provides to 'offset' it didn't work that well - even using "bad-boy user" separate switches JAMMED UP when the load got heavy - so I looked @ how the driver & middleware was done & like MOST ALL DRIVERS? No time-slice back to CPU for "best performance" - yea, until a large multi-user load occurs.

A sleep API call (vs. say Application.Processmessages in Delphi or DoEvents in VB, ODDLY despite they using 'sleep' internally in THEIR code? Didn't work - had to use SLEEP API CALL DIRECTLY in loops).

Cut CPU overuse from 90% lockup on clients down to 1-2%... saved the day.

APK

P.S.=> Some "Food 4 Thought" that to any of you that may end up coding around it - it works... apk

Re: For security on a PRIVATE lease-line? apk

What the fuck are you on about? How does this have any relevance to weak passwords and single factor authn from the internet? Retard.

Re: Protect yourself from these attacks.

Password spraying. The big kind.
Powerful. Sophisticated.
That is all.

About CITRIX coding/above YOUR dim head

See subject DOLT: It's for those coding on it in reply to parent it is a GOOD TIP that works unlike YOUR troll horseshit off-topic COMPLETELY you dolt do-nothing UNSKILLED & UNEDUCATED moron... menial!

Do YOU design ENTERPRISE CLASS CODE? I did for damn near 24++ yrs., asshole. That will SAVE projects on CITRIX code to DB engines!

* LOL! I mean, please - just READING your bs made me laugh & clued me into the FACT - you've NEVER done that level of work.

(Clearly, ALSO - You didn't read who I replied to, what they mention & yes I am ALL about the TOPIC in Citrix itself as well, asshole... he spoke of SOFTWARE DESIGN (something way, Way, WAY above your DOLTISH MENIAL so-called 'brain'))

APK

P.S.=> Above all ELSE you fucking know-nothing PEON - grow up! apk

Re: About CITRIX coding/above YOUR dim head

Angry idiot man knows nothing.... news at 11.

Re: About CITRIX coding/above YOUR dim head

You must be talking about the fool APK replied to OR yourself, projecting your own inadequacy.

At least they didn't use the "//" password attack!

Early Citrix systems were added the feature of changing one's password at login. Just type the password, then "/", then the new password, then "/" (then the new password again? I forget). Anyway, it had the bug where it didn't check that the old password was correct! So, one could log in to the admin account with a password of "//" and gain full access, then change the password using the normal tools once in.

This demonstrates why "blindly adding features" can lead to security risks. There's no good reason to allow users to change their password at login time.

"Been there/done that" hope THIS helps... apk

See subject & https://it.slashdot.org/commen...

APK

The REAL DEAL you menial DOLT... apk

See subject: MINUS guys like ME that BUILD software (good software, "God don't make no junk" & neither does "The Lord of hosts" so-to-speak in myself)? You're FUCKING USELESS menial CRETINS!

* FACT motherfucker, so STFU, fool...

APK

P.S.=> In fact, I'd almost GUARANTEE what I put out https://it.slashdot.org/commen... will overcome objections to CITRIX use in communicating w/ DB engines over CITRIX in a multi-user scenario over CITRIX & WHY, shitbrain FUCK you are, asshole (pitiful is what you are)... apk

Re: The REAL DEAL you menial DOLT... apk

Lol, never give up APK. Never give up. We support you. The silent majority.

Idiot? Prove you can do better than this... apk

See subject: APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

* ONLY 1 of its kind in GUI 4 MacOS!

(Better vs. Windows model in speed/efficiency)

APK

P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

The best hosts file prevents ALL breaches... apk

See subject: APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

* ONLY 1 of its kind in GUI 4 MacOS!

(Better vs. Windows model in speed/efficiency)

APK

P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

How to secure a PRIVATE lease-line... apk

See subject: APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

* ONLY 1 of its kind in GUI 4 MacOS!

(Better vs. Windows model in speed/efficiency)

APK

P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

My work will help you, too... apk

See subject: APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

* ONLY 1 of its kind in GUI 4 MacOS!

(Better vs. Windows model in speed/efficiency)

APK

P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

Still IMPERSONATING me JEALOUS "Lil' Jowie"?

MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...

HILARIOUS u ADMIT u have a /. acct & STALK me by UNIDENTIFIABLE ac https://hardware.slashdot.org/... - YOU have ISSUES, lunatic.

See subject & that's the "best ya got"? It proves You WISH you were ME (as your POOR imitation = the sincerest form of flattery).

Instead of WASTING your life STALKING me by UNIDENTIFIABLE anonymous posts OR IMPERSONATING me (since you WISH you were me)? Make a Wheel https://isc.sans.edu/forums/di... as I have that gives users more speed/security/reliability & anonymity NATIVELY doing more for less vs. ANY single 'solution' out there!

* LASTLY - the ONLY time you start IMPERSONATING me vs. STALKING me by UNIDENTIFIABLE anon posts is WHEN YOU ARE OUT OF "downmodpoints" I can easily NULLIFY by REPOSTING my posts RUNNING YOU DRY of them after you ABUSE them - I must've already, lol!

APK

P.S.=> I know WHY you do it though (out of "butthurt angst", lol): I've BLOWN YOU AWAY so many times under your MANY alter-ego SOCKPUPPET /. accounts FAKENAMES you're out for "revenge" only to have EGG ON YOUR FACE yet again https://tech.slashdot.org/comm... + STILL YET AGAIN, lol https://it.slashdot.org/commen... ... apk

Re: Still IMPERSONATING me JEALOUS "Lil' Jowie"?

You still sucking trucker cock or what?

Re: Still IMPERSONATING me JEALOUS "Lil' Jowie"?

He doesn't. You do yourself practically admitting it.

Still IMPERSONATING me JEALOUS "Lil' Jowie"?

MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...

HILARIOUS u ADMIT u have a /. acct & STALK me by UNIDENTIFIABLE ac https://hardware.slashdot.org/... - YOU have ISSUES, lunatic.

See subject & that's the "best ya got"? It proves You WISH you were ME (as your POOR imitation = the sincerest form of flattery).

Instead of WASTING your life STALKING me by UNIDENTIFIABLE anonymous posts OR IMPERSONATING me (since you WISH you were me)? Make a Wheel https://isc.sans.edu/forums/di... as I have that gives users more speed/security/reliability & anonymity NATIVELY doing more for less vs. ANY single 'solution' out there!

* LASTLY - the ONLY time you start IMPERSONATING me vs. STALKING me by UNIDENTIFIABLE anon posts is WHEN YOU ARE OUT OF "downmodpoints" I can easily NULLIFY by REPOSTING my posts RUNNING YOU DRY of them after you ABUSE them - I must've already!

APK

P.S.=> I know WHY you do it though (out of "butthurt angst", lol): I've BLOWN YOU AWAY so many times under your MANY alter-ego SOCKPUPPET /. accounts FAKENAMES you're out for "revenge" only to have EGG ON YOUR FACE yet again https://tech.slashdot.org/comm... + STILL YET AGAIN, lol https://it.slashdot.org/commen... ... apk

Still IMPERSONATING me JEALOUS "Lil' Jowie"?

MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...

HILARIOUS u ADMIT u have a /. acct & STALK me by UNIDENTIFIABLE ac https://hardware.slashdot.org/... - YOU have ISSUES, lunatic.

See subject & that's the "best ya got"? It proves You WISH you were ME (as your POOR imitation = the sincerest form of flattery).

Instead of WASTING your life STALKING me by UNIDENTIFIABLE anonymous posts OR IMPERSONATING me (since you WISH you were me)? Make a Wheel https://isc.sans.edu/forums/di... as I have that gives users more speed/security/reliability & anonymity NATIVELY doing more for less vs. ANY single 'solution' out there!

* LASTLY - the ONLY time you start IMPERSONATING me vs. STALKING me by UNIDENTIFIABLE anon posts is WHEN YOU ARE OUT OF "downmodpoints" I can easily NULLIFY by REPOSTING my posts RUNNING YOU DRY of them after you ABUSE them - I must've already, lol!

APK

P.S.=> I know WHY you do it though (out of "butthurt angst", lol): I've BLOWN YOU AWAY so many times under your MANY alter-ego SOCKPUPPET /. accounts FAKENAMES you're out for "revenge" only to have EGG ON YOUR FACE yet again https://tech.slashdot.org/comm... + STILL YET AGAIN, lol https://it.slashdot.org/commen... ... apk

Still IMPERSONATING me JEALOUS "Lil' Jowie"?

MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...

HILARIOUS u ADMIT u have a /. acct & STALK me by UNIDENTIFIABLE ac https://hardware.slashdot.org/... - YOU have ISSUES, lunatic.

See subject & that's the "best ya got"? It proves You WISH you were ME (as your POOR imitation = the sincerest form of flattery).

Instead of WASTING your life STALKING me by UNIDENTIFIABLE anonymous posts OR IMPERSONATING me (since you WISH you were me)? Make a Wheel https://isc.sans.edu/forums/di... as I have that gives users more speed/security/reliability & anonymity NATIVELY doing more for less vs. ANY single 'solution' out there!

* LASTLY - the ONLY time you start IMPERSONATING me vs. STALKING me by UNIDENTIFIABLE anon posts is WHEN YOU ARE OUT OF "downmodpoints" I can easily NULLIFY by REPOSTING my posts RUNNING YOU DRY of them after you ABUSE them - I must've already, lol!

APK

P.S.=> I know WHY you do it though (out of "butthurt angst", lol): I've BLOWN YOU AWAY so many times under your MANY alter-ego SOCKPUPPET /. accounts FAKENAMES you're out for "revenge" only to have EGG ON YOUR FACE yet again https://tech.slashdot.org/comm... + STILL YET AGAIN, lol https://it.slashdot.org/commen... ... apk

Apparently Slashdot Doesn't Know

Judging by the comments so far, apparently Slashdot still thinks that Citrix on only does a Windows Remote Desktop product, and doesn't know that Citrix does a whole fleet of products that this breach is very problematic for.

GoToMyPC
GoToMeeting
GoToWebinar
Citrix Hypervisor(XenServer)
Citrix Netscaler Gateway
Citrix Web App Firewall ... and yes Citrix Virtual Apps And Desktop(formerly XenApp, formerly Citrix terminal server.

A Citrix breach is a big fucking deal, especially when it wasn't self-discovered and they don't even know what was accessed yet.

Hey: I don't even have to TRY hard... apk

See subject & me vs. SELF-defeating dolts e.g. https://tech.slashdot.org/comm... + https://it.slashdot.org/commen... + https://yro.slashdot.org/comme...

* Take a read of my replies to morons STALKING me by UNIDENTIFIABLE anonymous (or IMPERSONATING me lying/libeling me too) - you judge.

APK

P.S.=> That's only RECENTLY mind you - I've literally 100's more bookmarked showing how STUPID they are vs. me... apk

Think for yourself

Based on the 'history' with the FBI, we only know One Fact: They Always Lie and catch no one.

Occams razor suggests some FBI chimp did something stupid and the FBI contacted Citrix before Citrix figured it out.
Because that is on par with the rest of the crap we hear about which actually happened, and Citrix probably has nothing that another company would try to steal.

If FBI, CIA, NSA, or homeland security are involved, it is an operation against YOU the citizens.
You Have Never, and Will Never receive any benefit from all the illegitimate government agencies.