Over the weekend, it has emerged that Citrix has been hit by hackers in attacks that potentially exposed large amounts of customer data.
On March 6, 2019, the FBI contacted Citrix with the news that international cyber criminals had likely gained access to the internal Citrix network. The firm says in a statement that it has taken action to contain this incident. “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI,” says Stan Black, Citrix CSIO.
According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM, which has hit more than 200 government agencies, oil and gas firms and technology companies. The firm said it first reached out to Citrix on December 28 2018 to share an early warning notification about a targeted attack and data breach. “Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog.
“Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”
Resecurity says the group uses proprietary techniques to bypass 2FA authorization for critical applications and services for further unauthorized access to virtual private networks channels and single sign-on.
What we know
It’s not yet possible to pinpoint what exactly has happened and the nature of the data accessed. However, crucially, it appears that hackers might have accessed and downloaded business documents: “In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information,” says Black. “While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents.”
However: “At this time, there is no indication that the security of any Citrix product or service was compromised,” says Black.
How did hackers access the documents?
The FBI thinks hackers likely used a tactic known as password spraying, which is a method of exploiting weak passwords. Once they had done so, they would have been able to gain a foothold with limited access and worked to circumvent additional layers of security.
The U.K.’s National Cyber Security Centre (NCSC) has warned about this method in the past, whereby lists of a small number of common passwords are used to brute force large numbers of accounts. “These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only look at each account in isolation,” the NCSC says.
The organization had conducted a research study which allowed participating firms to assess how vulnerable they would be to a password spraying attack. It found 75% of the participants’ organizations had accounts with passwords that featured in the top 1,000 and 87% had accounts with passwords that featured in the top 10,000.
How many people are affected and what should Citrix customers do?
Currently, detailed information is unavailable, but of course the incident could be pretty serious: Citrix provides virtual private network access and credentials to 400,000 companies and other organizations worldwide and 98% of the Fortune 500.
Citrix says: “Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.”
Of course, this incident illustrates the importance of simple security measures. Use strong passwords: for example a phrase or three random words can be much better than simply allowing users to repeat the same credentials across systems.
The NCSC advises firms to configure protective monitoring over externally-reachable authentication endpoints to look for password spraying attacks and enforce multi-factor authentication on externally-reachable authentication endpoints.
Meanwhile, regularly audit user passwords against common password lists, using free or commercial tools.
So how do you prevent users from using common passwords? One way is to encourage checks through Troy Hunt’s HaveIBeenPwned password checker.
"If the FBI are proved right and the loss of documents is down to password spraying then it’s another sign that businesses must do better at basic cyber hygiene,” says Nicola Whiting, chief strategy officer at Titania. “There are tools that can help them mitigate this quite quickly.”
She points out that criminals will often return to an "easy target" so hardening passwords and using 2FA – which may need to be via a third party – “is always a good idea”.
Another sensible precaution is a systems check to make sure there aren't any easy access points, back doors or areas where privileges could be escalated. Also check to make sure the hackers haven't added any additional user accounts, Whiting advises. “It's hard to say exactly what is most pressing as the investigation is still in early stages – but all of these should be fairly standard precautions.”
And finally, a word of warning
This incident could be more serious than we currently know, according to Ian Thornton-Trump, security head AMTrust Europe: It’s possible the bad guys have the source code for older products, possibly the Citrix NetScaler Gateway, formerly known as the Citrix Access Gateway, or CAG, which is primarily used for secure remote access.
“Let's look back to 2012 when Symantec had the source code for PC Anywhere stolen - let's not forget that in this treasure trove of data Citrix may have given up the source code for Logmein as well as other products. PC Anywhere ceased to be a viable product and it was one of the nails in the coffin; the same could happen for Logme in.
“For folks that are not using a compensating control (such as a VPN) and are not locking down at the network level by whitelisting or some other method - the hunt is one for a Remote Code Execution software bug to launch against Citrix NetScaler Gateway. This is a really big deal if the source code is now in the hands of an APT actor. It certainly should send chills down the spine of all folks running a Citrix environment exposed to the internet. What happens if bug bounty or internal bug information is in the hands of an APT group?
Thornton-Trump cites the example of RSA Security, which confirmed that stolen data about the company's SecurID authentication token was used in the 2011 attack against defense contractor Lockheed Martin.
The solution? “Take your Citrix environment inside your network," says Thornton-Trump. "Do not expose it to the internet, protect access with multi-factor authentication and for goodness' sake, be on the lookout for indications of compromise. This is a very serious breach."