Lessons from the Citrix Intrusion
In early March, the cloud computing company, Citrix received an advisory from the FBI that “they had reason to believe that international cyber criminals gained access to the internal Citrix network.” 1 A forensic investigation determined that hackers had likely used a brute-force technique called password spraying to gain access. Citrix confirmed that hackers had gained access to their internal network and stole business files.
In response, Citrix reset passwords, and password management protocols were improved. They also launched a campaign to increase awareness about security best practices and encouraged the use of multi-factor authentication. Citrix later stated that “cyber criminals had intermittent access to their network” over a period of months and removed sensitive personnel files from their systems.2
So how did the hackers get into their network?
Password spraying is a technique where one commonly-used password is selected and attempted across a large number of accounts. In this case, hackers likely chose numerous Citrix employee accounts and tried the same password for all of them. (Password examples: “Winter2018” or “Password123!”) 3 If that first guess didn’t give them any results, they moved down their list of common passwords and repeated the process. With one correct match, the hackers would have been able to log in and move around within the network as that employee.
Password spraying is also called “low and slow,” which is another description of the technique. It keeps a low profile on the network, making it difficult to detect from typical user behavior. This method also takes a “slow” approach to avoid specific security protocols. Many systems will lock an account after a particular number of failed login attempts within a designated time frame, such as “3 failed login attempts in 5 minutes.” Hackers will check for these specific rules and time their password guesses to avoid this protocol. Avoiding these security rules requires a slower, methodical pace compared to other methods that can run through thousands of password guesses per second.
How could they go unnoticed for so long?
These attacks are not entirely undetectable, but it requires active monitoring. So what are the signs? This type of attack can cause a noticeable spike in login attempts. This activity will show up in log files or error reports making them unusually large. It’s also possible for these login attempts to all come from the same IP address. One way to investigate if a hacker has already gained access is by checking employee login IP addresses for unusual locations. Similar to the fraud alerts on credit cards, a new sunny vacation spot is unique compared with typical day-to-day habits.
So how do these new protocols prevent password spraying?
Citrix doesn’t go into specifics about the new changes to their password management protocols. An example of this would be a new rule that requires passwords to be longer. Passwords have consistently been the weakest link in most security protocols. If a password is created to be easy-to-remember, a certain degree of predictability is built in, also making it easier for hackers to guess. Strengthening this requirement would ensure that users are creating fewer common or weak passwords. Alternatively, they might have made changes to the system lock-out rules to lock accounts at a lower threshold of failed login attempts.
Multi-factor authentication is also a useful tool to guard against password spraying attacks. Generally, multi-factor authentication steps require information that only the user has, such as a one-time use code sent to a user’s device, or the verification of a biometric feature, like a fingerprint. Adding multi-factor authentication creates an identity test that’s difficult for a hacker to answer, creating another layer of security to protect accounts from fraud.
So what can other companies learn from Citrix?
Hackers use password spraying to target accounts with the weakest passwords, so it’s necessary to use robust password management protocols. It’s also wise to consider enabling multi-factor authentication as a way to reduce fraudulent account use. Increasing awareness about strong credentials and security protocols potentially improves the security of all the interconnected systems. When business owners are better informed about how to improve security measures, they’re more likely to implement these tools to protect their customers and businesses. These small changes create significant defenses to protect against a password spray attack, even for large companies.
1Black, Stan. (2019, March 8). Citrix investigating unauthorized access to internal network. Retrieved from https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/
2Notice of Data Breach. (2019, April 29). Retrieved from https://oag.ca.gov/system/files/CX1%20US%20LTR%20%28no%20MA%20or%20CT%29_0.pdf
3Brute Force Attacks Conducted by Cyber Actors. (2018, March 27). Retrieved from https://www.us-cert.gov/ncas/alerts/TA18-086A
Armstrong, Eric. (2019, April 4). Citrix provides update on unauthorized internal network access. Retrieved from https://www.citrix.com/blogs/2019/04/04/citrix-provides-update-on-unauthorized-internal-network-access/
Lima, Hector. (2019, April 4). Security best practices: Multi-factor authentication. Retrieved from https://www.citrix.com/blogs/2019/04/04/security-best-practices-multi-factor-authentication/
Multi-factor authentication. Retrieved on July 10, 2019 from https://en.wikipedia.org/wiki/Multi-factor_authentication
Sayaala. (2018, July 17). Password Spraying. Retrieved on July 5, 2019 from https://resources.infosecinstitute.com/password-spraying/#gref