Password-based Hack of Citrix

Citrix is a well-known company that sells remote-access software solutions worldwide.  Citrix is large.  They have hundreds of thousands of customers.  They have the resources to deploy the best and most elaborate security.  Back in October 2018, the networking software company was hacked.  But the hack was nothing sexy.  They were compromised by a simple password-guessing scheme called “password spraying” and they didn’t even know it yet.


Password spraying is when attackers simply guess the passwords of known accounts using a list of common passwords.  It is a crude, brute-force method, but can be incredibly effective when the target businesses don’t employ the necessary defenses.


The worst part of a password-based attack is when it is successful.  It is possible to detect while the attack is happening (for example, there more authentications per time period than expected), but it is nearly impossible to detect when an attacker successfully logs into a target account.  This is because that login event “looks” just as legitimate as the actual account owner using the same credentials to log into the same account.  In fact, Citrix did not even realize hackers were actively breaching their network.  The FBI contacted Citrix in March, 2019 to inform them that they believed the cyber-criminals had gained access to Citrix’s internal network.


Because these unauthorized logins do not raise any alarms, the Citrix attackers were able to continue logging into the victim accounts and root around the inside of Citrix’s corporate network for five months!  They have plenty of time to discover the interior systems and data layout and thus, were able to make off with a swath of proprietary data, social security numbers and other personal identity data, as well as payment card information.


To prevent such an attack, all Citrix needed to do, was employ Password Blacklisting.  Yes, Multi-Factor Authentication (MFA) is an effective defense against password-based attacks, too, but there are commonly many reasons MFA doesn’t get deployed [everywhere] including, cost, complexity, incompatibility, end-user training, and more.  But Password Blacklisting is simple, affordable, best yet, incredibly effective.


Password RBL has solutions for all size customers, are super-easy to deploy and use, and provide the power of 3 password blacklists.  Get started today – costs are typically just a few dollars per user per YEAR (yes, per Year, not per month).