By password spraying, hackers stole weak credentials as a way to gain access into Citrix’s networks. The FBI, who are behind the discovery notified Citrix during the week.
Citrix, a virtual desktop and app vendor, also provides SaaS (software-as-a-service) and cloud computing services to organisations. It is one of the US government’s main contractors for agencies such as the U.S military, the FBI and the White House communications agency. It is, therefore, a great target for hackers seeking crucial information of companies or government agencies.
Hackers use password spraying
Password spraying is the deployment of brute force attacks that guess likely used passwords. With mass username credentials it runs a number of likely passwords against them to attempt access to accounts. The method allows for less password attempts on the same account to avoid account blocks. Due to poor password management or poor password policy adherence, the success rate of gaining access this way is more than targeting specific users. In addition, password lists are more easily available for hackers to use.
From this attack, hackers were able to download documents pertaining to Citrix. It is not known whether their customer data was affected. The CISO of Citrix, however, mentioned in his response to the breach, that there was no indication of security being compromised. After gaining limited access into the network from password spraying, the hackers likely attempted to carry out further attacks to gain additional access to Citrix’s layers of security.
Researchers, Resecurity claimed that Iridium, an Iranian state-sponsored actor, were likely to be behind the attack. They backed up their claim with confirmation of the group having hacked Citrix before in December 2018. The sophistication behind the hacks goes further by using techniques to bypass two-factor authentication which allowed them to gain access to up to 6TB of data. Focus of hackers were allegedly on FBI-related projects, NASA and aerospace contracts, strengthening researcher’s findings that it was a state-sponsored attack.