The recent attack on internal systems of software company Citrix Systems raises several questions
On March 6, 2019, the Federal Bureau of Investigation told Citrix that international cyber criminals gained access to its internal network.
Resecurity, a security firm, has claimed that the attack could be by an Iranian-linked group known as IRIDIUM that has hit more than 200 government agencies, oil and gas companies and technology companies.
Citrix said it has already initiated action to contain this incident.
“We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI,’ wrote Citrix Chief Information Security Officer Stan Black, in a blog in the company website.
“Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information,” he further wrote.
Black said while the investigation was on, it appeared that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. “At this time, there is no indication that the security of any Citrix product or service was compromised,” he wrote.
Black also said while it was not confirmed, the FBI “has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords.” Once they gained a foothold with limited access, they worked to circumvent additional layers of security.
Password Spraying: A clever exploit
In May last year, UK’s National Cyber Security Centre (NCSC), part of the nation’s security agency GCHQ, warned about the emerging threat of password spraying
“One common way that online accounts are breached is through password spraying, whereby lists of a small number of common passwords are used to brute force large numbers of accounts. These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only look at each account in isolation,” it said in a blog.
NCSC’s raising the alarm followed a research that it conducted to understand how vulnerable the UK organizations could be to password spraying attack. It found that
75% of the participants’ organizations had accounts with passwords that featured in the top 1,000 passwords and 87% had accounts with passwords that featured in the top 10,000.
This data suggests that password spraying attacks are likely to have some success against these organizations, and many other organizations across the UK.
“Whilst account lockout policies may limit attackers to trying (for example) 10 passwords against a single account per day, the account lockout counters usually reset over time. This allows persistent attackers to try more passwords, and they can (and do) end up trying hundreds or even thousands of common passwords,” it said.
Security firm Resecurity said it had reached out to Citrix in December 2018 and had shared early warning notification about targeted attack and data breach. “The attack,” it said “was planned and organized specifically during Christmas period.”
Resecurity said the incident has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy.
“Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement,” it said.
The arsenal of IRIDIUM includes proprietary techniques allowing to bypass 2FA authorization for critical applications and services for further unauthorized access to VPN (Virtual Private Networks) channels and SSO (Single Sign-On), Resecurity explained.
“We forecast a continued growth of targeted cyber-attacks on supply chains of government and large enterprises organized by state-actors and sophisticated cyberespionage groups,” it said.
Four Myths that it busted
The security breach at Citrix has implications beyond Citrix and its customer. It raises important questions and busts some myths. Here are the four myths that it busted.
Myth 1: IT companies are less vulnerable
Citrix is not just a technology company. It is an enterprise tech company that has security solutions too, albeit in a different area. Its Citrix Web App Firewall is a web application firewall that it claims protects web applications and sites from both known and unknown attacks, including all application-layer and zero-day threats.
Myth 2: Early warning prevents breach
Going by the claim made by Resecurity, it had warned Citrix in December 2018. This means it had some knowledge about the possibilities of such an attack. Yet, the infiltrators managed to get onto its internal systems means that information was not effective in thwarting the attack.
Myth 3: Once the attack starts, at least tech companies can detect
Citrix admits that it got the information from FBI about the attack. The fact that FBI ‘had to’ tell them well after the attack started means even post-attack, detection is not easy.
Myth 4: An attacker requires highly sophisticated tech to carry out an attack
As evident, the attackers used password spraying, which is a clever way of exploiting the vulnerability rather than using more sophisticated tools.