Citrix Falls Victim to Password Spraying Attack

On March 6, the FBI alerted Citrix that cyber criminals accessed at least six terabytes of data stored on its servers. The data theft is particularly concerning because Citrix’s products and services are used by the vast majority of Fortune 500 companies, as well as by governments and militaries. The company, however, states that there is no indication that the security of any Citrix product or service was compromised in the attack.

The hackers likely used a technique called password spraying to gain access. Password spraying is the term associated with an attack on an account login page that uses account user names in conjunction with commonly used or weak passwords. Lists of a small number of common passwords are used in brute force attacks on large numbers of accounts. As Citrix itself stated, once the attackers “gained a foothold with limited access, they worked to circumvent additional layers of security.”

While the necessity for unique, strong passwords has repeatedly been trumpeted, this attack further reinforces the point. Many individuals and corporations have not yet taken heed. For instance, the U.K.’s National Cyber Security Centre (NCSC) conducted a study which allowed participating organizations to assess how vulnerable they would be to a password spraying attack. The NCSC found that 75 percent of the participants’ organizations had accounts with passwords that featured in the top 1,000 and 87 percent had accounts with passwords that featured in the top 10,000. According to the NCSC, “[t]hese attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only look at each account in isolation.”

In order to reduce the threat of similar attacks in the future, preventative measures such a password strength requirements and multi-factor authentication can be implemented.

Leave a Reply

Next ArticleFirst Circuit Finds There is No Expectation of Privacy for IP Address Information