Cloud computing giant Citrix is the latest big name to fall victim to a major data breach. The Florida-based company was hit for an estimated six to ten terabytes of confidential internal information in early March. While any data breach of this size is a legitimate news item, the Citrix data breach is particularly noteworthy as the software company provides cloud services to the U.S. military through its Shared Services Center and is one of the Department of Defense’s approved vendors.
The Citrix data breach is thought to have been perpetrated by Iranian hackers in a group called IRIDIUM, which is believed to have ties to the country’s government. These international cyber criminals specialize in attacking foreign nations, aiming at the confidential information of government agencies and major players in the economy. They have been active for over a decade and have hit at least 200 organizations during that time.
IRIDIUM, notorious Iranian hackers
The official word regarding the Citrix data breach at this time is that there is “no sign” that the hackers compromised any of their products or services. It is not clear to the public exactly what was stolen, but early information indicates that it was internal company communications and files, particularly those related to procurement and project management.
It is unclear if the Citrix data breach provided the Iranian hackers with any access to United States government networks, but they may have intercepted communications containing sensitive technical details about their networks and projects. The attackers appeared to take a particular interest in files related to FBI projects and aerospace industry contracts.
IRIDIUM has a history of targeting Citrix. In fact, it is possible that IRIDIUM gained access to the company’s network 10 years ago and has had some foothold there ever since. The Iranian hackers appear to have conducted some sort of initial attempt on Citrix in late December (which prompted the company to reset user passwords), with the main breach taking place on March 4. Citrix was not aware of the hack until the FBI advised that the hackers gained access to their systems on March 6.
Private industry concerns
While there is no information at this time to warrant concerns about a widespread breach of Citrix software or compatible hardware, government contractors who interface with Citrix may have had information exposed to the Iranian hackers.
There is some longer-term concern for private businesses that make use of a Citrix product or service, however. It is possible that documents taken from this hack could lead the Iranian hackers to new vulnerabilities to use in the future against Citrix customers. If any source code for products was obtained during this Citrix data breach, then it becomes extremely likely that those products will face cyber attacks at some point in the near future.
All indications are that the purpose of the Citrix data breach was to get information about the U.S. government and their contractors. It would be prudent for any companies making use of Citrix software or services to review their security policies, however – particularly in terms of password safety, which is how this hack happened in the first place.
Spray and pray: Password lessons from the Citrix data breach
The Iranian hackers appear to have forced their way in with a tactic known as password spraying, a technique that exploits weak passwords.
Password spraying is essentially a more refined version of credential stuffing from a word list. The hackers will create a specific list of passwords to try based on the known complexity policy of their target. The passwords in the list will usually be ones that are commonly used, or that have been associated with previous leaks related to the target organization in some way. The hackers also usually have a list of known usernames to work from (usually obtained from public email addresses), trying each password with each username once before starting over. This more refined approach allows attackers to avoid triggering automatic lockouts from too many failed login attempts.
The attack followed a typical pattern of first gaining access to poorly-secured lower-level accounts to open up broader access to the network. As the FBI’s statement to the press regarding the Citrix data breach noted: “Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”
In this case, there appear to have been at least a few Citrix employee accounts that had weak passwords that fit the bill. One might initially think that setting a mandatory company policy of complex passwords (enforced at account creation and during password changes) would be adequate to protect against password spraying. However, the real-world result of these policies is often that employees pick the least complicated possible password that still meets the criteria, and will also re-use this password across multiple accounts so that they do not have to remember multiple complex logins. Either that, or they will simply write the password down and keep it at their desks, which creates an entirely new attack vector.
Employees can be encouraged to use other effective password strategies, such as using a password manager or enabling two-factor authentication. Organizations have to always expect some amount of negligent human behavior when it comes to passwords, however. That means that much of the onus for protection from password spraying falls on the IT department. This includes regular monitoring for events that appear to be password spraying attacks (such as one-time failed logins by many different accounts in rapid succession), and regular password audits using known lists of compromised credentials among other measures.
The source of most of the information about the Iranian hackers is Resecurity, a small Los Angeles-based cybersecurity company that was not previously on international radar. While there is some history of small unknown companies like this breaking news about major breaches, it is important to note that there does not appear to be a formal working relationship between Resecurity and Citrix and some of their claims have yet to be confirmed. Any forensic investigation that Resecurity might be engaging in appears to be entirely independent.
The Citrix data breach and the use of password spraying to initially gain access has been confirmed, however, and that should be enough notice to organizations to review their security policy for potential vulnerability to this common attack method. Organizations that use Citrix services should also evaluate the possibility that further breaches may spring from the information obtained in this attack. The Citrix Analytics service, which purports to detect and prevent breaches, should probably be item number one on the review list for anyone using it.