For a five-month period between 2018 and 2019, hackers gained access to systems belonging to Citrix. Citrix was notified of the breach in March of 2019 by the FBI, who informed Citrix that the breach appeared to have happened through a password spraying attack. Password spraying is a fairly unsophisticated method of attack but is highly effective. The attack involves targeting a wide number of employee accounts and attempting to gain access by using a few common passwords. Citrix made an initial statement acknowledging the breach on March 8th, 2019 that contained few details but has now released an update with more information. According to the updated statement the intrusion began on October 13th, 2018 and the attackers had “intermittent” access until March 8th, 2019. Information taken by the attackers during that time may have included “Social Security Numbers or other tax identification numbers, driver’s license numbers, passport numbers, financial account numbers, payment card numbers, and/or limited health claims information, such as health insurance participant identification number and/or claims information relating to date of service and provider name.” The security company Resecurity claimed it had evidence that Iranian hackers were responsible and that it had notified Citrix of the breach on December 28th, 2018. The claim of Iranian attribution has not been corroborated, but Citrix acknowledged the notification from Resecurity.
Even though password spraying is a relatively unsophisticated means of attack, hackers regularly find great success through its use. It can be difficult for defenders to detect password spraying, because it does not create many failed authentication attempts per user and does not lock any user accounts out. Strong passwords or passphrases which are changed regularly and multi-factor authentication (MFA) are both important steps in defending against password spraying attacks. Encouraging employees to make use of password management tools which can generate complex unique passwords can also be a strong defense against password spraying. This instance also highlights the fact that the slow exfiltration of data can be significantly more dangerous that one massive dump of data. By maintaining access over an extended period of time the attackers were able to slowly steal data in a way that kept them from being easily noticed and may have been able to cause significantly more harm had Citrix not been notified by the FBI. It is important for defenders to monitor endpoints for signs of attacker behaviors and take action to detect intrusions in the early stages, before they have the opportunity to do more significant harm. It is also critical to maintain adequate logs so that a forensic investigation can verify claims of a breach from a third-party party notification. More information on this incident can be found at https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/