[BreachExchange] Why The Citrix Breach Matters -- And What To Do Next

Destry Winant destry at riskbasedsecurity.com
Mon Mar 11 10:17:44 EDT 2019


Over the weekend, it has emerged that Citrix has been hit by hackers
in attacks that potentially exposed large amounts of customer data.

On March 6, 2019, the FBI contacted Citrix with the news that
international cyber criminals had likely gained access to the internal
Citrix network. The firm says in a statement that it has taken action
to contain this incident. “We commenced a forensic investigation;
engaged a leading cyber security firm to assist; took actions to
secure our internal network; and continue to cooperate with the FBI,”
says Stan Black, Citrix CSIO.

According to security firm Resecurity, the attacks were perpetrated by
Iranian-linked group known as IRIDIUM, which has hit more than 200
government agencies, oil and gas firms and technology companies. The
firm said it first reached out to Citrix on December 28 2018 to share
an early warning notification about a targeted attack and data breach.
“Based on the timing and further dynamics, the attack was planned and
organized specifically during Christmas period,” Resecurity says in a

“Based our recent analysis, the threat actors leveraged a combination
of tools, techniques and procedures allowing them to conduct targeted
network intrusion to access at least 6 terabytes of sensitive data
stored in the Citrix enterprise network, including e-mail
correspondence, files in network shares and other services used for
project management and procurement.”

Resecurity says the group uses proprietary techniques to bypass 2FA
authorization for critical applications and services for further
unauthorized access to virtual private networks channels and single

What we know

It’s not yet possible to pinpoint what exactly has happened and the
nature of the data accessed. However, crucially, it appears that
hackers might have accessed and downloaded business documents: “In
investigations of cyber incidents, the details matter, and we are
committed to communicating appropriately when we have what we believe
is credible and actionable information,” says Black. “While our
investigation is ongoing, based on what we know to date, it appears
that the hackers may have accessed and downloaded business documents.”

However: “At this time, there is no indication that the security of
any Citrix product or service was compromised,” says Black.

How did hackers access the documents?

The FBI thinks hackers likely used a tactic known as password
spraying, which is a method of exploiting weak passwords. Once they
had done so, they would have been able to gain a foothold with limited
access and worked to circumvent additional layers of security.

The U.K.’s National Cyber Security Centre (NCSC) has warned about this
method in the past, whereby lists of a small number of common
passwords are used to brute force large numbers of accounts. “These
attacks are successful because for any given large set of users there
will likely be some who are using very common passwords, and these
attacks can slip under the radar of protective monitoring which only
look at each account in isolation,” the NCSC says.

The organization had conducted a research study which allowed
participating firms to assess how vulnerable they would be to a
password spraying attack. It found 75% of the participants’
organizations had accounts with passwords that featured in the top
1,000 and 87% had accounts with passwords that featured in the top

How many people are affected and what should Citrix customers do?

Currently, detailed information is unavailable, but of course the
incident could be pretty serious: Citrix provides virtual private
network access and credentials to 400,000 companies and other
organizations worldwide and 98% of the Fortune 500.

Citrix says: “Citrix deeply regrets the impact this incident may have
on affected customers. Citrix is committed to updating customers with
more information as the investigation proceeds, and to continuing to
work with the relevant law enforcement authorities.”

Of course, this incident illustrates the importance of simple security
measures. Use strong passwords: for example a phrase or three random
words can be much better than simply allowing users to repeat the same
credentials across systems.

The NCSC advises firms to configure protective monitoring over
externally-reachable authentication endpoints to look for password
spraying attacks and enforce multi-factor authentication on
externally-reachable authentication endpoints.

Meanwhile, regularly audit user passwords against common password
lists, using free or commercial tools.

So how do you prevent users from using common passwords? One way is to
encourage checks through Troy Hunt’s HaveIBeenPwned password checker.

"If the FBI are proved right and the loss of documents is down to
password spraying then it’s another sign that businesses must do
better at basic cyber hygiene,” says Nicola Whiting, chief strategy
officer at Titania. “There are tools that can help them mitigate this
quite quickly and instigation 2FA (where possible) is also a good

In addition, she points out that criminals will often return to an
"easy target" so hardening passwords and using 2FA – which may need to
be via a third party – “is always a good idea”.

Another sensible precaution is a systems check to make sure there
aren't any easy access points, back doors or areas where privileges
could be escalated. Also check to make sure the hackers haven't added
any additional user accounts, Whiting advises. “It's hard to say
exactly what is most pressing as the investigation is still in early
stages – but all of these should be fairly standard precautions.”

And finally, a word of warning

This incident could be more serious than we currently know, according
to Ian Thornton-Trump, security head AMTrust Europe: It’s possible the
bad guys have the source code for older products, possibly the Citrix
NetScaler Gateway, formerly known as the Citrix Access Gateway, or
CAG, which is primarily used for secure remote access.

“Let's look back to 2012 when Symantec had the source code for PC
Anywhere stolen - let's not forget that in this treasure trove of data
Citrix may have given up the source code for Logmein as well as other
products. PC Anywhere ceased to be a viable product and it was one of
the nails in the coffin; the same could happen for Logme in.

“For folks that are not using a compensating control (such as a VPN)
and are not locking down at the network level by whitelisting or some
other method - the hunt is one for a Remote Code Execution software
bug to launch against Citrix NetScaler Gateway. This is a really big
deal if the source code is now in the hands of an APT actor. It
certainly should send chills down the spine of all folks running a
Citrix environment exposed to the internet. What happens if bug bounty
or internal bug information is in the hands of an APT group?

Thornton-Trump cites the example of RSA Security, which confirmed that
stolen data about the company's SecurID authentication token was used
in the 2011 attack against defense contractor Lockheed Martin.

The solution? “Take your Citrix environment inside your network," says
Thornton-Trump. "Do not expose it to the internet, protect access with
multi-factor authentication and for goodness' sake, be on the lookout
for indications of compromise. This is a very serious breach."

More information about the BreachExchange mailing list