Hackers used password spraying to breach Citrix, investigation confirms

Written by

The hackers who breached corporate VPN service provider Citrix last year used an unsophisticated technique that throws commonly used, weak passwords at a system until one works, the company’s investigators has confirmed.

The “password spraying” ploy allowed the hackers to steal business files from a Citrix network drive along with a drive linked with its consulting practice, Citrix President David Henshall wrote in a blog post last week. The attackers had access to the drives for a “limited number of days,” between October 2018 and March 2019, he said.

Henshall did not say who carried out the hack or what their ultimate objective was. VPN providers could be an enticing target for any set of hackers looking for a foothold in a corporation’s network.

“The cybercriminals also may have accessed the individual virtual drives and company email accounts of a very limited number of compromised users and launched without further exploitation a limited number of internal applications,” Henshall added.

A Citrix spokesperson did not immediately respond to a question of what those “internal applications” were and what they did.

The Florida-based company, which says it provides its services to more than 400,000 companies worldwide, is still reviewing what documents were accessed by the hackers and is in the process of notifying the “limited number of customers’” who might need to take “additional protective steps,” Henshall said.

In announcing the breach in March, Citrix said that password spraying was the likely, if unconfirmed, technique used by the attackers. But the company has now highlighted what it did to respond. It reset all passwords and shored up how it manages those credentials, is more closely monitoring data that leaves its networks, and has cut out internal access to its data for “non-essential” web services, according to Henshall.

To help with the clean-up, Citrix hired FireEye’s incident response unit, Mandiant, to remediate the breach. The FBI also investigated the breach.

With the investigation behind him, Henshall said he is focused on “fostering a security culture at Citrix that prioritizes prevention and also ensures that we detect and respond effectively to any future incidents.”