Password Spraying – The Citrix Breach

Shimrit Tzur-David | March 18, 2019

On March 8, Citrix posted a statement confirming that the company’s internal network had been breached. Citrix became aware of the attack a couple of days earlier when the FBI advised that they had reason to believe that cyber criminals gained access to Citrix’s internal network.

Cybersecurity firm Resecurity claimed it had alerted Citrix to the attack as early as December 28, 2018, and that “threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct a targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.” They also called out the Iranian-backed IRIDIUM hacker group as the culprit.

While the breach is still under investigation and the full extent of the damage yet unknown, Citrix customers should be very concerned. Beyond customer records that may have been lost, attackers may have been able to get access to the source code of products like Netscaler Gateway (AKA Citrix Access Gateway), Logmein, and other highly sensitive products that may uncover a backdoor into Citrix customers’ networks. For those of us that remember, the attack against Lockheed Martin back in 2011 was made possible after security vendor RSA Security was breached, exposing the secrets that went into its SecurID authentication token that Lockheed used to protect its networks.

What caught our eyes here at Secret Double Octopus is the entry point the attackers used – a password spraying attack. On its blog, Stan Black, Citrix CSIO discloses that “while not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”

What is password spraying?

Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing its password. This can quickly result in the targeted account getting locked-out, as commonly used account-lockout policies allow for a limited number of failed attempts (typically three to five) during a set period of time. In a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single commonly used password (such as ‘Password1’ or ‘Summer2017’) against many accounts before moving on to attempt a second password. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.

Read more about password spraying 

Password spraying is not the only form of attack on passwords.

Credential stuffing is another attack where automated injection of stolen username (typically emails) and password pairs attempts to access an accounts. Using automation tools, large numbers of compromised credentials are automatically entered into an application (typically a Web application) until success is achieved.

An important enabler for credential stuffing is the tendency of users to reuse passwords across more than one application. As a result, compromised credentials from one application can be used to access other applications, as seen at the HSBC breach last year.

A brute-force attack is when the attacker attempts to guess a password by systematically checking every possible option. Cheap and powerful computational power makes it economically practical to guess longer and longer password. To overcome this, longer, more complex passwords can be required to make guessing impractical again.

Brute-force attacks can take place offline or online. In case of an offline attack the attacker has access to the password hash and tries different key without the risk of discovery or interference.

But hands down, the most widely used and effective attack on password-based authentication systems is credential theft. Within this category of attack, the easiest and also most prevalent is phishing, and it’s more targeted variant spear phishing. Pretty much everyone that has email, SMS or any other kind of messaging app has likely seen and possibly fell for a phishing attack.

“Zero days are overrated.  Credential-stealing
is how you get into networks” Rob Joyce NSA former head of Tailored Access Operations

Man-in-the-middle is another easy way to execute a credential theft attack. Attackers typically set up a fake WiFi hotspot, inject themselves in the middle of the users connection to the network, and eavesdrop to steal their credentials, and other data.

Last, and by no means least, are malware-based attacks that among other things steal credentials.

Learn more about password vulnerabilities 

How do you prevent password related attacks? The old way

Traditional thinking on protecting password-based authentication systems inevitably start with better password policies. Longer, more complex and more frequently updated passwords will likely render useless most password spraying attacks, and make any efforts to brute-force less effective.

Multi-step login process and capping the number of failed login attempts are relatively easy to implement controls that will prevent credential stuffing attacks.

And the dreaded second factor of authentication is prescribed when all else fails.

Adding a second factor of authentication to passwords solves many of the vulnerabilities of password-based authentication systems by making it a lot harder for an attacker to obtain a full set of credentials to access an account. But when used as an add-on to passwords, they retain many of the shortcoming associated with passwords, while adding a few of their own. But that’s a whole separate discussion for another blog.


How do you prevent password related attacks? The new way

To truly address the vulnerabilities of a password-based authentication system, you need to change the paradigm – you need to go passwordless.

To learn more  check out our psswordless authentication platform