Citrix Confirms Password-Spraying Heist of Reams of Internal IP

citrix password praying attack

Security experts say the attack stemmed from weak cybersecurity controls.


Digital workspace and enterprise networks vendor Citrix has concluded its investigation into a 6TB data heist in March, which it said was the work of international cybercriminals who exploited weak passwords on an internal network.

The attackers intermittently accessed Citrix’ infrastrucure between October 13, 2018 and March 8, 2019, the company said in an update on its website. They “principally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice,” according to the notice.

There’s no indication that Citrix products or services were compromised, it added, though a small number of customers may have been impacted; that part of the investigation is still ongoing, it said.

Harrison Van Riper, strategy and research analyst at Digital Shadows, told Threatpost: “It’s an important note that they mention that the intruders only stole Citrix docs and IP, rather than information belonging to Citrix customers. There was a lot of confusion that may have still been lingering since the breach was first announced.”

The company confirmed that the adversaries gained access via a successful password-spraying effort – which was its initial assessment in March.

Password-spraying is a related type of attack to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, in password-spraying the adversary will try a single commonly used password (such as “123456”) against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This “low and slow” method is used to avoid account lock-outs stemming from too many failed login attempts.

According to Secret Double Octopus, “password-spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. Targeting federated authentication can help mask malicious traffic. Additionally, targeting SSO applications helps maximize access to intellectual property if the attack succeeds.”

In the case of Citrix, which has always specialized in federated architectures, the FBI surmised in March that the attackers likely gained a foothold with limited access, and then worked to circumvent additional layers of security. That was backed up by evidence that the attackers were trying to pivot to other areas of the infrastructure.

Citrix said that “individual virtual drives and company email accounts of a very limited number of compromised users” were accessed; and, the attackers launched a limited number of internal applications.

This is should be a warning call to other large enterprises, according to Nissim Pariente, director of Security Analytics at Radware.

“Weak password policy can lead to a situation where threat actors utilize it for lateral movement and privilege escalations, that eventually can be utilized for staying persistent under the radar for long time, such as what happened in Citrix event,” he told Threatpost.

Torsten George, cybersecurity evangelist at Centrify, told Threatpost that Citrix’s conclusion that hackers gained access to their internal network through password spraying is just the latest example that hackers don’t need to hack in to compromise internal networks anymore.

“They login using weak, stolen, or otherwise compromised credentials,” he said. “Organizations must also adopt a zero-trust privilege approach to secure the modern threatscape and grant least-privilege access based on verifying who is requesting access, the context of the request and the risk of the access environment. The reality is that guessing passwords is easier than going up against technology, and organizations should assume that bad actors are in their networks already.”

A recent Centrify survey revealed that more than three-quarters (74 percent) of companies who experienced a data breach said it involved privileged credential abuse. This number closely aligns with Forrester Research’s estimate that at least 80 percent of data breaches involved compromised privileged credentials, such as passwords, token, keys and certificates.

Nonetheless, in response to the attack, “We performed a global password reset, improved our internal password management and strengthened password protocols,” Citrix stated.

That’s a move that some security experts said might not be the best approach.

“Unfortunately, this is analogous to rearranging deck chairs on the Titanic,” Arshad Noor, CTO of StrongKey, told Threatpost. “Passwords are not just old, they are ancient – created for the mainframe to enable chargeback controls for time-sharing in the 1960s. That multi-billion-dollar companies continue to use this archaic technology to protect a multi-trillion-dollar economy is an anachronism of the 21st century.”

The incident has pointed out what seem to have been glaring oversights in Citrix’ security posture, according to security experts.

“This highlights to me the importance of security fundamentals. Even large, well-known organizations can fall victim to relatively basic attacks,” Richard Gold, head of security engineering at Digital Shadows, told Threatpost. “Paying careful attention to the fundamentals of security, such as password hygiene, is a critical requirement for all organizations. Additionally, the challenges Citrix is dealing with are not exclusively technical. They are dealing with social, bureaucratic, cultural and organizational issues as well.”

Digital Shadows’ Van Riper meanwhile noted, “Password spraying attacks a small number of usernames with a large amount of passwords, which could mean there weren’t very solid credential validation restrictions on their login service, i.e. failed login limits, account lockout policies.”

And finally, Chris Morales, head of security analytics at Vectra, told Threatpost, “I’m glad to see Citrix following through proactive steps in how passwords are used and managed, how privileged access is tracked, and how the network is segmented. These are all fundamentals for any company. I do wonder how this was not there before. While Citrix is not what I consider a pure security play, they do have security aspects in their portfolio, including device management, that seems like it would have been a key aspect of how the business operates.”

Citrix told Threatpost that it had no comment beyond the blog posting.

This post was updated at 10:24 am with Citrix’ response. 

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More


Suggested articles

What the New OWASP Top 10 Changes Mean to You?

The OWASP top 10 list of critical security risks will have a big impact on how businesses address application security moving forward. The changes to the list will require businesses to reevaluate their application security posture holistically. Learn more about the most significant changes that have emerged and how businesses can address them.

API Shadow

Bring Your APIs Out of the Shadows to Protect Your Business

APIs are immensely more complex to secure. Shadow APIs—those unknown or forgotten API endpoints that escape the attention and protection of IT¬—present a real risk to your business. Learn how to identify shadow APIs and take control of them before attackers do.