Citrix attacked by password spraying
Citrix is warning that its internal network has been attacked by hackers. The workspace and enterprise networks company stated that the FBI contacted them saying that there was evidence of a successful cyberattack on its network. It looks like the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed however are currently unknown. So far, there's no indication that Citrix products or services were compromised.
The FBI notified Citrix that the hackers used a tactic known as password spraying, which is similar to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, the hackers will try a single commonly used password against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This is used to avoid account lock-outs stemming from too many failed login attempts. Password spraying attacks typically target single sign-on and cloud-based applications utilizing federated authentication protocols. Targeting federated authentication can help mask malicious traffic. Targeting SSO applications helps maximize access to intellectual property if the attack succeeds.
Since the attackers likely gained a foothold with limited access, they probably worked to circumvent additional layers of security in Citrix's case.The investigation is on-going and Citrix stated that it would provide additional details as they become available. It is currently working with the FBI and a third-party cybersecurity firm to uncover what happened, and was able to secure it's network again.
The news comes as Citrix begins implementing forced password resets for its Sharefile service customers. There has been a constant increase in internet-account theft. Those same credentials are often used to access other accounts. In response to this threat, Citrix is requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into their normal operating procedures.
Adding multi-factor authentication, or MFA, is the best way to validate the user's identity and protect against password theft. File-shares are a prime target for hackers as they contain valuable and sensitive data. Changing passwords is not enough to prevent breaches because the new passwords can be stolen just as easily. Also, people tend to change passwords in very predictable ways, usually just changing the last characters. Currently, many types of files shares do not support MFA leaving these data exposed to attacks.