Citrix's 6TB hack made possible by weak passwords

Citrix has revealed the cause of a massive data breached revealed in March 2019 was weak passwords and systems that didn't detect brute-force login attacks.

News of the break-in was first delivered by security firm Resecurity, which informed Citrix of a problem in late 2018.

The FBI next contacted Citrix in early March 2019, before the vendor admitted to the issue on March 8.

Citrix has now wrapped up its own investigation into the breach with help from FireEye.

A blog post detailing the investigation confirmed that the cybercriminals gained access to Citrix’ network with a "password spraying" effort that tried multiple passwords for a distinct user name.

That effort worked and gave the attackers access to Citrix for around five months between 13 October 2018 and 8 March 2019.

The attackers primarily stole business files from a shared network drive used to store current and historical documents, as well as a drive associated with a web-based tool Citrix uses in its consulting practice.

The attackers also accessed individual virtual drives and company email accounts for a “very limited” number of users, the vendor said.

Citrix said there was no breach of security in any of its products or cloud services, nor were any of its products exploited to gain unauthorised access.

Since the breach, Citrix has performed a global password reset, improved internal password management and strengthened password protocols.

It also deployed endpoint agent technology from FireEye across its systems.

Citrix chief executive David Henshall said he was now focused on “fostering a security culture at Citrix that prioritises prevention and also ensure that we detect and respond effectively to any future incidents.”

“Further, we improved our logging at the firewall, increased our data exfiltration monitoring capabilities, and eliminated internal access to non-essential web-based services along with disabling non-essential data transfer pathways.”

As well it should: password spraying is an old and well-understood form of attack that is often combated with the simple precaution of limiting the number of login attempts that will be accepted over a set period.

For Citrix not to have such controls in place is a long way short of known best practice.

The cybersecurity committee formed in response to the breach will also become a permanent fixture of Citrix’s governance model.