This article originally appeared in Search Security on July 24, 2019.
Following an investigation lasting nearly five months, Citrix revealed cybercriminals did not access any customer data but did steal business documents.
According to Citrix president and CEO, David Henshall, malicious actors accessed the company's internal network via a password spraying attack that exploited weak passwords. Henshall asserted that the Citrix breach did not involve the exploitation of any vulnerabilities and did not impact the security of "any Citrix product or customer cloud service."
"Once in our network, the cyber criminals intermittently accessed and, over a limited number of days between October 13, 2018, and March 8, 2019, principally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice," Henshall wrote in a blog post. "The cyber criminals also may have accessed the individual virtual drives and company email accounts of a very limited number of compromised users and launched without further exploitation a limited number of internal applications."
The FBI originally notified Citrix on March 6 that malicious actors may have accessed to company systems, meaning it took just two days for access to be shut down to the attackers.
Jake Williams, founder and president of Rendition Infosec in Augusta, Ga., said for an intrusion as significant as the Citrix breach, "the speed of the response is very unusual."
"Honestly, I'm surprised they did it that quickly. I would have expected it would take longer," Williams told SearchSecurity. "It's very important that you identify all access methods the attackers are using before tipping your hand with the response."
Usman Rahim, digital security and operations manager at The Media Trust, said it was "concerning" that attackers had access to Citrix systems for five months before the FBI alerted the company.
"Time is very sensitive in attacks like these, and in this case, the attackers had plenty," Rahim told SearchSecurity. "We expect better security measures from tech companies like Citrix around their assets and infrastructure. However, the information Citrix provided paints a picture of adequate security that allowed attackers access to their systems."
In light of the findings of the Citrix breach investigation, Henshall said the company has "taken significant actions to safeguard our systems and improve protocols," including deploying FireEye's endpoint security technology.
"We performed a global password reset, improved our internal password management, and strengthened password protocols," Henshall wrote. "Further, we improved our logging at the firewall, increased our data exfiltration monitoring capabilities, and eliminated internal access to non-essential web-based services along with disabling non-essential data transfer pathways."
It is unclear if these improvements include implementing two-factor authentication (2FA); Citrix declined to provide comments beyond what was in the public disclosure.
Williams noted that stronger passwords should help mitigate password spraying attacks.
"Password spraying is always successful if you don't have lockout policies, which unfortunately impact the user experience significantly. It's not an easy thing to shut down," Williams said. "Most orgs don't use 2FA internally because it absolutely impacts productivity. If it didn't have a business cost, everyone would use it for everything."
Richard Ford, CTO at threat intelligence vendor Cyren LLC, said he is shocked when corporate accounts don't use 2FA.
"With the adoption of mobile phones, companies such as Duo or RSA provide an easy way to supply a 'soft' second factor that significantly complicates life for the attacker," Ford wrote via email. "I keep hoping that this is the year we move away from simple username/password combinations, but adoption remains slow. It's something that we, as an industry, just need to embrace."
Rahim added that "basic multi-factor authentication could have prevented" the Citrix breach.
"They have not mentioned some of the measures they are planning to do, but MFA, password expiration, password hardening and policies for system access should be the starting points," Rahim said. "Companies need to think about these measures before the damage is done."