6 Lessons Learned From The Citrix Breach

Details of the password spraying cyber attack and what enterprises can do about it




On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network, according to Stan Black, CISSP and the CSIO of Citrix.

He wrote in a blog that “Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.”

He also wrote that Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. “In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.”

Password “Spraying” Cyber Attack

While the FBI is still investigating the details, thehackernews.com reported that the Iranian-backed Iridium hacker group hit Citrix in December last year and again this time, stealing at least 6 terabytes of sensitive internal files, including emails, blueprints, and other documents.

The Iranian-linked hacking group was also behind recent cyber attacks against more than 200 government agencies worldwide, oil and gas companies, technology companies and other targets.

The hacker group’s proprietary techniques include bypassing multi-factor authentications for critical applications and services for further unauthorized access to VPN channels and SSO (Single Sign-On).

“While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised,” said Black.

Again while not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying — a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.

The Possible Implications

Resecurity said in a blog post, “The massive data breach at Citrix has been identified as a part of a sophisticated cyber espionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of the economy."

This has been a hot topic in recent Task Force 7 Radio episodes, where Host George Rettas often poses the question, “What’s it going to take for cyber security to being taken seriously before there’s a loss of life event?”

For example, it has been 17 months since the Equifax breach — where the data of 143 million people vanished. CSO of BitGo Tom Pageler believes that either a really strong organized crime syndicate (such as in the case of Citrix) is involved, or a “nation state has done this to help them build up a database on who we all are.”

See Related: “Why Is The NIST Framework Important?

While the Equifax data is still a mystery similar to Citrix, the incident could be pretty serious: Citrix provides virtual private network access and credentials to 400,000 companies and other organizations worldwide and 98% of the Fortune 500.

Key Takeaways To Boost Enterprise Security

At this time, Black says that “there is no indication that the security of any Citrix product or service was compromised.” However, here are 6 key learnings every enterprise should apply to their organizations to avoid being part of a password spraying cyber attack:

  1. Use strong passwords: Create a password that is not less than 10 characters and preferably 16 characters; avoid using a common phrase, your name, nickname or address. Always use a unique password, never repeat and never store passwords in your browser.

  2. The NCSC advises firms to configure protective monitoring over externally-reachable authentication endpoints to look for password spraying attacks and enforce multi-factor authentication on externally-reachable authentication endpoints.

  3. Encourage checks of common passwords through Troy Hunt’s HaveIBeenPwned password checker, or other free or commercial tools.

  4. Consider using two or multi-factor authentication.

  5. Perform a routine systems check to make sure there aren't any easy access points, back doors or areas where privileges could be escalated.

  6. Check to make sure hackers haven’t added any additional user accounts.

“Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities,” said Black.

See Related: "Incident Of The Week" Articles