Citrix breach once again highlights password weaknesses

Virtualisation software provider Citrix has been breached by international cyber criminals using password spraying, according to the US Federal Bureau of Investigation (FBI).

The technique exploits weak passwords by attempting to access a large number of accounts with a few commonly used passwords. In May 2018, the UK’s National Cyber Security Centre (NCSC) issued a warning about password spraying and guidelines on how to defend against it.

“These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring, which only looks at each account in isolation,” the NCSC warned.

The FBI believes that once the Citrix attackers gained a foothold with limited access, they worked to circumvent additional layers of security.

In a statement, Citrix said it has taken action to contain the breach, begun a forensic investigation and engaged a cybersecurity firm to assist. The software firm said it has also taken actions to secure its internal network.

“While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised,” the statement said.

The notification, however, has sounded alarm bells for governments and military organisations, as well as the more than 400,000 organisations around the world that use Citrix products and services, raising fears that the their networks may be at risk of compromise.

According to security firm Resecurity, Citrix was breached by the Iranian-linked group known as Iridium, which has hit more than 200 government agencies, oil and gas companies and technology companies.

Resecurity said in a blog post that it has shared the acquired intelligence with law enforcement and partners for mitigation.

The security firm also claims that it contacted Citrix in December 2018 and shared early warning notification about a targeted attack and data breach, which Resecurity believes was planned towards the end of December.

The Citrix breach, it said, is part of a sophisticated cyber espionage campaign targeting government, military-industrial firms, energy companies, financial institutions and large enterprises involved in critical areas of economy.

“Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct targeted network intrusion to access at least six terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares and other services used for project management and procurement,” the security firm said.

None of the claims have been verified independently and Resecurity has not provided any details that would help outside researchers to corroborate the report, according to Ars Technica.

The arsenal of Iridium, Rescurity said, includes proprietary techniques allowing to bypass two-factor authentication (2FA) for critical applications and services for further unauthorised access to virtual private networks (VPN) channels and single sign-on (SSO).

The security firm said it expects a continued growth of targeted cyber attacks on supply chains of government and large enterprises organised by state-actors and sophisticated cyber espionage groups.

While the identity of the attackers is yet to be confirmed, security researchers reported an Iranian-linked cyber espionage campaign targeting UK universities in August 2018, and in December 2018, an Iranian state-backed hacking group was linked to a campaign aimed at compromising the email accounts of US officials.

Ojas Rege, chief strategy officer at mobile device management firm MobileIron, said if the source of the breach was password spraying, then it once again highlights the need to address this issue.

“It’s another sign that, as an industry, we must focus on addressing the root cause of most data breaches – the inherent weakness of the password as our central means of enterprise authentication,” he said.

According to Rege, forcing users to make all their passwords substantially stronger will not solve this problem. “At best, they will continuously forget their passwords and create an ongoing support burden. More likely, they will rebel and force IT to roll back the security strategy or start using unauthorised cloud services that are easier to access and are beyond IT’s control.”

The right approach, said Rege, is to eliminate passwords for the user. “Biometric authentication is the starting point because the user now no longer has to remember passwords. The back-end credential into enterprise systems can then be made much stronger to mitigate password spraying and similar attacks, all without creating pain for the user. This is a true win-win. The company is more secure and the user is more productive,” he said.