Technology / Russian hacker w0rm attacks Citrix, claiming access to entire system and customer database

Russian hacker w0rm attacks Citrix, claiming access to entire system and customer database

Notorious hacker w0rm claims to have hacked US software firm Citrix, with analysis from security pros warning the hacker has gained access to all of the firms customers.

Hacker CC BY 2.0

Russian hacker w0rm has gained access to Citrix’s entire administrative system including its remote assistance system, according security firm Cyberint.

w0rm announced its entry into the content management system on the Citrix network using an insecure password, which gave the hacker the chance to exploit a series of security holes found and access to the company’s administrative system, as well as its remote assistance system.

This allows potential attackers to bypass Citrix customers’ security systems and upload malware undetected.

Cyberint identified the hack in October, but received no response from Citrix despite repeated attempts to notify the firm. The hacker tweeted Citrix a link to its blog posting on 25 October 2015, but also did not receive any response.

Elad Ben-Meir, Cyberint’s vice president of marketing, said that analysis of w0rm’s attack has led Cyberint to conclude that the hacker managed to access all Citrix’s customers through the administrative system.

“Citrix offer a platform for remote assistance – [w0rm] could if he wanted to – but he didn’t actually use it, but if he wanted to he could penetrate every endpoint of Citrix customers out there,” Ben-Meir told SC Magazine.

“Essentially if he had wanted to, he could have put malware into every end user of every Citrix customer which then would allow it to either keylog the things the people type, he could steal sensitive information from those end points, or he could use those endpoints as a botnet to run DDos attacks.

“A hacker that gains access to that amount of PCs is basically really powerful.”

Ben-Meir believes malware loaded on to users’ systems would be “undetectable” until the point when the attacker chose to activate malware or steal data.

He also warned that it is possible that the flaw has been exploited by other attackers before now.

w0rm has steadily garnered a reputation for itself over the last few years due to high-profile attadcks on the BBC, CNET, Wall Street Journal and Vice, although the identity of the person or group behind w0rm remains unknown.

w0rm’s motive is also unclear, as with past cases the hacker did not ask for significant pay loads and appeared to be running genuine penetration testing services.

However, it should be noted that w0rm still operates an online marketplace for stolen databases despite reported intentions to “raise awareness about security flaws”.

Photo © Ivan David Gomez Arce (CC BY 2.0). Cropped.

TEISS banner