Password spraying fingered in Citrix breach

Virtualisation vendor admits hackers may have gained access to internal business documents by using technique that exploits weak passwords

Citrix has admitted that hackers may have accessed and downloaded internal business documents after possibly using password spraying tactics to gain access to its network.

The virtualisation giant announced over the weekend that the FBI had contacted it on 6 March to advise it of the possible breach.

"Citrix has taken action to contain this incident," said Citrix chief security and information officer, Stan Black.

"We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to co-operate with the FBI."

Ongoing investigations suggest the hackers may have accessed and downloaded unknown business documents, Citrix said, although Black added that there is "no indication that the security of any Citrix product or service was compromised".

The FBI suspects the hackers used password spraying, a tactic that exploits weak passwords, Black said.

The UK's National Cyber Security Centre (NCSC) warned last May that password spraying attacks are successful because for any given large set of users, there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only look at each account in isolation.

A study it conducted found that 75 per cent of participants' organisations had accounts with passwords that featured in the top 1,000 passwords, while 87 per cent had accounts with passwords that featured in the top 10,000.

The NCSC has several recommendations for mitigating against spraying attacks, including protective monitoring over externally reachable authentication end-points to look for password spraying attacks.