Citrix has revealed the cause of a massive data breached revealed in March 2019 was weak passwords and systems that didn't detect brute-force login attacks.
News of the break-in was first delivered by security firm Resecurity, which informed Citrix of a problem in late 2018. The FBI next contacted Citrix in early March 2019, before the vendor admitted to the issue on March 8th.
Citrix has now wrapped up its own investigation into the breach with help from FireEye.
A blog post detailing the investigation confirmed that the cybercrims gained access to Citrix’ network with a "password spraying" effort that tried multiple passwords for a distinct user name.
That effort worked and gave the attackers access to Citrix for around five months between 13 October 2018 and 8 March 2019. The attackers primarily stole business files from a shared network drive used to store current and historical documents, as well as a drive associated with a web-based tool Citrix uses in its consulting practice.
The attackers have also accessed individual virtual drives and company email accounts of a “very limited” number of users.
Citrix noted that there was no compromise or exfiltration beyond what’s already been disclosed, and that there was no breach of security in any of Citrix’s products or cloud services, nor were any of its products exploited to gain unauthorised access.
Since the breach, Citrix has performed a global password reset, improved internal password management and strengthened password protocols. Citrix also deployed endpoint agent technology from FireEye across its systems.
Citrix chief executive David Henshall said he was now focused on “fostering a security culture at Citrix that prioritises prevention and also ensure that we detect and respond effectively to any future incidents.”
“Further, we improved our logging at the firewall, increased our data exfiltration monitoring capabilities, and eliminated internal access to non-essential web-based services along with disabling non-essential data transfer pathways.”
As well it should: password spraying is an old and well-understood form of attack that is often combated with the simple precaution of limiting the number of login attempts that will be accepted over a set period. For Citrix not to have such controls in place is a long way short of known best practice.
The cybersecurity committee formed in response to the breach will also become a permanent fixture of Citrix’s governance model.
Henshall's post concluded "Finally, I want to express my sincerest appreciation to the employees and customers that have been impacted by this incident for their understanding and support."
"Throughout the investigation, we have endeavored to be as transparent as possible with key findings and lessons learned, but we recognize that is not enough," adding that the company is "doing everything possible to ensure this type of incident cannot happen again."