Password Spraying Fells Citrix. Are We Next?

Did Iranian hackers steal six terabytes of sensitive documents from Citrix, a company that does business with the FBI, the US military, American government agencies, and many US corporations?

As usual, the identity of hackers cannot be established positively, but someone did steal a large amount of data, including reports, blueprints, and “business papers,” according to the company. We also know how they did it – using a tactic, said the company, known as “password spraying, a technique that exploits weak passwords.” 

That perhaps is the most important part of the story – because it could claim many more companies like Citrix. Passwords as a primary factor of authentication are problematic, if not outright dangerous – and the Citrix hack illustrates that clearly.

Citrix revealed the hack on March 8th in a statement, saying that the FBI had alerted the company that it had been compromised several days earlier, but the attacks may have been going on much longer.

Cybersecurity firm Resecurity claimed it had alerted Citrix to the attack as early as December 28th 2018, and that “threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct a targeted network intrusion.” They also called out the Iranian-backed IRIDIUM hacker group as the culprit.

The Citrix breach could turn out to be one of the most important in recent years. Among the “victims” of this breach may have been the source code of products like Netscaler Gateway (AKA Citrix Access Gateway), LogMeIn, and other highly sensitive products that may uncover a backdoor into Citrix customers’ networks. It's akin to a major breach at Lockheed Martin back in 2011, made possible after a hack of security vendor RSA Security exposed the secrets that went into its SecurID authentication token, used by Lockheed to protect its networks.

How Passwords Are Hacked
As mentioned, the FBI attributes the breach to password spraying, a tactic that involves attempting to access a large number of accounts (usernames) using a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password. This can quickly result in the targeted account getting locked-out, as commonly used account-lockout policies allow for a limited number of failed attempts (typically three to five) during a set period of time.

During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single commonly used password (such as ‘Password1’ or ‘Summer2017’) against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.

Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. Targeting federated authentication can help mask malicious traffic. Additionally, targeting SSO applications helps maximize access to intellectual property if the attack succeeds. In addition, email applications are also commonly targeted.
How Does Password Spraying Affect Business?

When hackers are able to get information about employees from public sources they can rely on organizations using the same user names as in public domains. The hacker will use those user names combined with frequently used passwords (Password123, date of birth…..) to access business accounts.
Ways to Prevent Password Spraying

If passwords are the weak link in the authentication chain, there are two things we can do about it: either strengthen them, or find a better alternative. The ways to accomplish the former are well-known; longer, more complex and more frequently updated passwords will likely provide relief for most password spraying attacks, and make any efforts to brute-force less effective.

Yet effective password policies have proven notoriously difficult to enforce; all companies have policies in place requiring safe password practices, but password-compromising attacks are as numerous as ever. A multi-step login process and capping the number of failed login attempts are “next-level” password protection schemes that could cut down those attacks. 

When all else fails, companies can implement second-factor authentication. When used as an add-on to passwords, 2FA retains many of the shortcomings associated with passwords, while adding a few of their own. 

Another possibility is to use a physical token – such as a smartphone app – where the user doesn't have to remember anything, and they will no longer be subject to ubiquitous phishing attacks.

There are other authentication methods that override passwords, and companies should consider them, given the risks in using passwords. If the Citrix breach was really the result of password spraying, then the company has a lot of security housecleaning to do. We all ought to take a lesson from Citrix's experience, and take steps to ensure that we're not the next victims.

What’s Hot on Infosecurity Magazine?