A group of hackers used a password spraying attack to compromise Citrix’s internal network. Learn what password spraying is and how to defend against it.
If you never heard of “password spraying” before, you are not alone. It is a relatively unknown term — except to cybercriminals. In fact, a group of hackers known as Iridium is extremely familiar with password spraying. It used this technique to infiltrate Citrix.
On March 6, 2019, the US Federal Bureau of Investigation (FBI) warned Citrix that an international hacking group had likely accessed the company’s internal network. Citrix found that its network had indeed been compromised. In a blog about the incident, Citrix’s chief security information officer Stan Black noted that the hackers used password spraying to gain a foothold in the network.
At this time, not much is being said about what the hackers stole, except that they might have downloaded business documents. “The specific documents that may have been accessed, however, are currently unknown,” said Black.
Password Spraying 101
So, what is password spraying? It is a different approach to cracking login credentials.
To keep hackers out, accounts are protected by login credentials, which consist of a username — usually an email address — and a password. Most cybercriminals attempt to crack credentials by trying a known email address with a plethora of possible passwords. This is often done with automated brute-force password-cracking tools.
Password spraying takes the opposite approach. Hackers assume that at least one person is using a weak password (e.g., “F00tball “), so they try to find the email address of that person. They pair weak passwords with many different accounts in many different organizations, according to Alex Simons, the director of program management in the Microsoft Identity Division. “For example, an attacker will use a commonly available toolkit like Mailsniper to enumerate all of the users in several organizations and then try “P@$$w0rd” and “Password1” against all of those accounts,” explained Simons.
How to Defend against These Types of Attacks
To defend against password spraying attacks, large organizations sometimes use real-time detection and protection systems. These systems are often out of reach for small and midsized businesses, but they are not defenseless. Password spraying attacks still rely on weak passwords being used. As a result, small and midsized businesses can protect themselves by giving employees the tools they need to create strong passwords and using multi-factor authentication.
An important line of defense for any company is having employees create strong passwords, especially if those passwords are for IT system and service accounts. Trying to memorize many strong passwords, though, can be challenging. Thus, employees might be tempted to use weak, easy-to-remember passwords or variations of the same password for multiple accounts.
To help employees avoid these temptations, businesses can take advantage of password managers. With a password manager, people can easily generate and store strong passwords. All they have to do is remember one strong password.
Another measure to take is to use two-step verification (also known as two-factor authentication) for accounts. With two-step verification, a second credential is needed to log in, such as a security code. This means that even if hackers have the credentials for an account, they would not be able to access it.
If you would like more information about password spraying attacks and how to defend against them, let us know.
Hacker flickr photo by Free For Commercial Use (FFC) shared under a Creative Commons (BY) license
