Citrix Still Investigating Password Spray Attack to Its Internal Systems
Citrix continues to investigate the extent of a compromise to a compromise of its internal network a week after disclosing it was informed by the FBI that it suspected the international cybercriminals had gained access.
The FBI told Citrix that it believes the hackers used password spraying to access its network. Password spraying is a brute force attack technique using automated tools to gain access to accounts protected with single sign-on (SSO) and federated authentication systems. Such attacks exploit accounts with weak passwords.
After the FBI reached out to Citrix on March 6, an internal forensic investigation found that the hackers possibly downloaded some documents, though it wasn’t confirmed, nor clear which documents the attackers accessed, according to the company’s CISO, Stan Black.
“At this time, there is no indication that the security of any Citrix product or service was compromised,” Black wrote last week.
Customers have predictably questioned their partners about Citrix’s revelation.
“They’ve asked what we think, and I don’t think there’s a major concern yet, but obviously, I know as much as you do,” said Pete Downing, chief marketing and technology officer of XenTegra, one of Citrix’s largest partners. “While there’s naturally some concern, no one’s running away, and they see that Citrix is taking it seriously.”
Citrix didn’t disclose the source of the attacks, but Los Angeles-based Resecurity, a relatively unknown provider of next-generation endpoint protection software, this week shared what it believes is evidence that an Iranian-linked group known as Iridium is responsible for the latest attack.
Iridium attacked more than 200 government agencies, oil and gas providers, and tech providers including Citrix during the last week of December, according to Resecurity, which said it had reached out to Citrix, warning the company about the targeted attack.
While Resecurity’s evidence doesn’t appear to have been independently confirmed, at least publicly, the company this week acknowledged DHL, the National Bank of Canada (NBC), Skrill, PayPal and Canadian Centre for Cyber Security, for aiding in gathering telemetry used during the December attacks. As of Friday, Citrix didn’t have any further updates.
“Our investigation continues, and we don’t have any updates at this time,” a Citrix spokeswoman confirmed to Channel Futures. “But as promised, we’ll be transparent and share credible and actionable information as we get it.”
In its annual 10-K filing with the SEC last month, Citrix did acknowledge the December attacks on ShareFile, its enterprise file sharing service, warning of the overall risks to its business.
“In late 2018, our file sync and sharing service was the target of a ‘credential stuffing’ attack, in which we believe that malicious third-party actors used credentials obtained from breaches unrelated to any Citrix service to attempt to gain access to individual Citrix Content Collaboration customer accounts,” according to the filing. “To date, we believe the event had limited impact on a small percentage of Citrix Content Collaboration customers; however, these types of attacks have the potential to materially and adversely impact our customers and, as a result, our results of operations and financial condition.”
The rise of password spraying attacks came to light nearly a year ago, whenthe U.S. Computer Emergency Readiness Team, a branch of the Department of Homeland Security, warned of the rise of password spraying. The warning came shortly after Microsoft posted best practices for those with Azure Active Directory and Active Directory Federation Services (ADFS) on avoiding password spraying attacks.