‘Password spraying’ behind Citrix cyber attack

Another high-profile cyberattack, another lesson learned.
13 March 2019

The Citrix building, Santa Clara. Source: Shutterstock

As always, cybersecurity issues are coming to the forefront in the technology world and the audacity of these attacks are just breathtaking to the common observer. But from every high-profile attack, there seems to be a key lesson to take away.

Los Angeles-based cybersecurity company Resecurity says it has proof that Iranian state actors were behind the latest attack on software giant Citrix; the attackers allegedly broke into the network ten years ago and had been inside the company’s system since.

The cybersecurity firm alleges that hackers stole vast amounts of data from the major software company that handles sensitive computer projects from the White House communications agency, the US military, the FBI and many American corporations.

Charles Yoo, Resecurity’s president, said that the Iranian-linked hacking group known as Iridium employed brute force attacks to guess passwords.

As a result, at least six terabytes of data were extracted (possibly up to ten terabytes) in the assault on the company, which provides server, application and desktop virtualization, networking, software-as-a-service, and cloud computing technologies.

Access to Citrix was thought to be gained through several compromised employee accounts. “It’s a pretty deep intrusion, with multiple employee compromises and remote access to internal resources,” he said.

Citrix’s CISO, Stan Black, said the FBI believes the technique used to gain access was “password spraying”, and that once the hackers “gained a foothold with limited access, they worked to circumvent additional layers of security.”

The UK’s NCSC has previously warned users about these types of attacks and they believe these attacks are successful because a large set of users will likely be using common passwords.

In a blog post, Resecurity blamed Iridium with an attack that had “proprietary techniques allowing to bypass 2FA authorization for critical applications and services for further unauthorized access to VPN channels and SSO (Single Sign-On)”.

Talking to Computer Business Review, Ojas Rege, a mobile device management specialist from MobileIron, said that the industry must focus on addressing the root cause of most data breaches – the inherent weakness of the password as a central factor in terms of enterprise authentication.

“Biometric authentication is the starting point because the end user now no longer has to remember passwords,” he said.

“The back-end credential into enterprise systems can then be made much stronger to mitigate password spraying and similar attacks, all without creating pain for the end user […] this is a true win-win […] the company is more secure, and the end user is more productive,” he added.

Experts have long advocated physical hardware security tokens such as a USB/Bluetooth/NFC device running on a security framework such as the FIDO U2F that provides a strong frontline defense to businesses, and SMEs— being some of the most vulnerable— especially.

In most cases, the hardware security token needs to be registered to an account and logging in can be done either by plugging it into a USB slot or by Bluetooth, NFC or Wi-Fi.

All in all, every corporation, from SMEs right up to the larger conglomerates, need to understand that cybersecurity is an element that needs constant vigilance and innovation to stay a few steps ahead of the attackers. In many cases, though, ensuring employees follow a secure password policy could be a significant step in the right direction.