The Citrix Breach: What Is Password Spraying, Anyway?
If initial accounts from cybersecurity firm Resecurity are accurate, the Citrix Systems breach could turn out to be bad: really, really bad. Citrix is a major federal government contractor, and nation-state hackers have been ramping up their efforts to breach federal agencies and steal classified data by hacking weak links in the federal supply chain. According to an internal U.S. Navy review procured by the Wall Street Journal, Navy contractors are “under cyber siege,” particularly by Chinese nation-state hackers.
Resecurity alleges that Citrix was breached by an Iranian hacker group known as Iridium, which has also targeted other government agencies and oil and gas companies. It is believed the hackers got in by way of a password spraying attack. Ironically, not quite a year ago, the FBI and the U.S. Department of Homeland Security released an alert warning of an upsurge in password spraying. This alert came on the heels of — I can’t make this up — a federal indictment of nine Iranian nationals for hacking on behalf of their home country.
So, what is password spraying, anyway?
As opposed to credential stuffing or dictionary attacks, which involve bombarding servers with possible credentials en masse, password spraying takes a slower, more surgical approach, which makes the attack more difficult to detect.
Hackers obtain a relatively small list of commonly used passwords, such as “password123.” (Yes, people still use passwords like this despite years of having been warned not to.) They combine this list with a long list of user names for the organization they are targeting. This small number of passwords is tested against lots and lots of user names. Because the system isn’t seeing a large number of attempts to log in to any one user account at a time, the attack flies under the radar.
Unfortunately for the target organization, it’s likely that at least one person on the list is being naughty and using a password from this list. If this is the case, BAM, hackers have found their way in.
But wait a minute; how did they get those user names?
It’s not hard. Hackers can either perform some simple reconnaissance themselves or hire someone on a gig site to do it for a buck or two an hour. First, a list of employees is drawn up using information about the target company gleaned from public websites and social media networks — perhaps even the company’s own public employee directory. This directory may include full corporate email addresses. Even if it doesn’t, those aren’t hard to get, either. Just perform a search on an employee’s name, and you’ll likely find their email address on another website or a social media network.
With Employee Zero’s email address in hand, hackers know what nomenclature the organization uses to assign email addresses and can make educated guesses as to everyone else’s. For example, if Fox Mulder’s FBI address was fmulder@fbi.gov, it’s likely that you could have reached his cohorts at dscully@fbi.gov, wskinner@fbi.gov, and so on.
Another variation involves obtaining lists of compromised logins from massive breaches, like the Yahoo breach, doing some cyber-stalking to find out where the users work, and seeing if they use the same passwords at work that they did for their compromised account.
What the hell can my company do about this?
The Department of Homeland Security has some suggestions for detecting and preventing password spray attacks.
Among other things, the Citrix breach is a lesson on both the folly of allowing employees to choose their own passwords, any passwords, and the importance of using multi-factor authentication (MFA) to secure enterprise systems.
Hopefully, it won’t also turn out to be another lesson on just how insecure the federal supply chain really is.
