Citrix Falls Prey to Password-Spraying Attack | Threatpost

Citrix is warning that its internal network has been hit by international cybercriminals.

The digital workspace and enterprise networks vendor said in a website notice that the FBI contacted it on Wednesday, saying that there was evidence of a successful cyberattack on its network.

While details for now are scant, “it appears that the hackers may have accessed and downloaded business documents,” the company said in its notice. “The specific documents that may have been accessed however are currently unknown.”

There’s no indication that Citrix products or services were compromised, it added.

The FBI told the firm that the hackers probably used a tactic known as password-spraying, which is a related type of attack to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, in password-spraying the adversary will try a single commonly used password (such as “123456”) against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This “low and slow” method is used to avoid account lock-outs stemming from too many failed login attempts.

According to Secret Double Octopus, “password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. Targeting federated authentication can help mask malicious traffic. Additionally, targeting SSO applications helps maximize access to intellectual property if the attack succeeds.”

In the case of Citrix, which ironically has always specialized in federated architectures, the FBI surmised that since the attackers likely gained a foothold with limited access, they then worked to circumvent additional layers of security.

The investigation is on-going and the company said that it would provide additional details as they become available – it’s working with the FBI and a third-party cybersecurity firm to uncover what happened, and it said that it was able to secure its network again.

“Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly,” the company said. “In investigations of cyber-incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.”

The news comes as Citrix begins implementing forced password resets for its Sharefile service customers.

“There has been a constant increase in internet-account credential (usernames and passwords) theft. Those same credentials are often used to access other accounts,” Citrix said in an announcement over the weekend of the new policy. “In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures.”

Dana Tamir, vice president of market strategy at Silverfort, in an emailed statement noted: “Adding multifactor authentication (MFA) is the best way to validate the user’s identity and protect against password theft. File-shares are a prime target for hackers as they contain valuable and sensitive data. Changing passwords is not enough to prevent breaches because the new passwords can be stolen just as easily. Also, people tend to change passwords in very predictable ways – typically just changing the last characters.  Applying an MFA on access to file shares is indeed a best practice. However, many types of files shares do not support MFA leaving these data exposed to attacks.”

Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.