Tag Archives: investigation

Citrix breach blamed on poor password security

Following an investigation lasting nearly five months, Citrix revealed cybercriminals did not access any customer data but did steal business documents.

According to Citrix president and CEO, David Henshall, malicious actors accessed the company’s internal network via a password spraying attack that exploited weak passwords. Henshall asserted that the Citrix breach did not involve the exploitation of any vulnerabilities and did not impact the security of “any Citrix product or customer cloud service.”

“Once in our network, the cyber criminals intermittently accessed and, over a limited number of days between October 13, 2018, and March 8, 2019, principally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice,” Henshall wrote in a blog post. “The cyber criminals also may have accessed the individual virtual drives and company email accounts of a very limited number of compromised users and launched without further exploitation a limited number of internal applications.”

The FBI originally notified Citrix on March 6 that malicious actors may have accessed to company systems, meaning it took just two days for access to be shut down to the attackers.

Jake Williams, founder and president of Rendition Infosec in Augusta, Ga., said for an intrusion as significant as the Citrix breach, “the speed of the response is very unusual.”

“Honestly, I’m surprised they did it that quickly. I would have expected it would take longer,” Williams told SearchSecurity. “It’s very important that you identify all access methods the attackers are using before tipping your hand with the response.”

Usman Rahim, digital security and operations manager at The Media Trust, said it was “concerning” that attackers had access to Citrix systems for five months before the FBI alerted the company.

Time is very sensitive in attacks like these, and in this case, the attackers had plenty,” Rahim told SearchSecurity. “We expect better security measures from tech companies like Citrix around their assets and infrastructure. However, the information Citrix provided paints a picture of adequate security that allowed attackers access to their systems.”

In light of the findings of the Citrix breach investigation, Henshall said the company has “taken significant actions to safeguard our systems and improve protocols,” including deploying FireEye’s endpoint security technology.

“We performed a global password reset, improved our internal password management, and strengthened password protocols,” Henshall wrote. “Further, we improved our logging at the firewall, increased our data exfiltration monitoring capabilities, and eliminated internal access to non-essential web-based services along with disabling non-essential data transfer pathways.”

It is unclear if these improvements include implementing two-factor authentication (2FA); Citrix declined to provide comments beyond what was in the public disclosure.

Williams noted that stronger passwords should help mitigate password spraying attacks.

“Password spraying is always successful if you don’t have lockout policies, which unfortunately impact the user experience significantly. It’s not an easy thing to shut down,” Williams said. “Most orgs don’t use 2FA internally because it absolutely impacts productivity. If it didn’t have a business cost, everyone would use it for everything.”

Richard Ford, CTO at threat intelligence vendor Cyren LLC, said he is shocked when corporate accounts don’t use 2FA.

“With the adoption of mobile phones, companies such as Duo or RSA provide an easy way to supply a ‘soft’ second factor that significantly complicates life for the attacker,” Ford wrote via email. “I keep hoping that this is the year we move away from simple username/password combinations, but adoption remains slow. It’s something that we, as an industry, just need to embrace.”

Rahim added that “basic multi-factor authentication could have prevented” the Citrix breach.

“They have not mentioned some of the measures they are planning to do, but MFA, password expiration, password hardening and policies for system access should be the starting points,” Rahim said. “Companies need to think about these measures before the damage is done.”

Go to Original Article
Author:

Congress wants CVE program changes from DHS and MITRE

The House Energy and Commerce Committee completed its investigation of the Common Vulnerabilities and Exposures program this week and requested “significant changes to the very foundation of the CVE program.”

The investigation began in March of 2017 following media reports on extensive issues with the CVE tracking system, including long backlogs for assigning vulnerability scores. In letters to both the Department of Homeland Security (DHS) and MITRE Corporation — the two entities that manage the CVE program — members of the E&C Committee noted that changes have already been made to the CVE program, but said these changes didn’t address root issues with the program.

“The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society,” Committee members wrote in the letters. “The Committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the Committee’s initial request. However, many of these reforms target symptoms that stem from what the Committee considers to be underlying root-causes — the contract-based nature of the program and the lack of oversight — which have yet to be addressed.”

During its investigation into the CVE program, the E&C Committee found red flags right from the start.

“Given the importance of the CVE program as critical cyberinfrastructure, the Committee expected to receive substantially more documentation in response to its request than was produced,” the Committee wrote in the letter to DHS. “[T]he Committee was surprised by the dearth of produced analyses, timelines, and other oversight materials documenting the year-over-year health of the program. The Committee finds the lack of documentation produced by DHS and MITRE to be revealing in and of itself.” 

The Committee members said the contract-based nature of the CVE program led to inconsistent funding, short-term planning and thousands of vulnerabilities per year that didn’t receive CVE numbers. The Committee suggested this be changed to make funding a PPA (Program, Project, or Activity) line item in the DHS budget in the hopes of forcing DHS and MITRE to take the program more seriously.

“The documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyberinfrastructure. Instead, both organizations continued to manage and fund the program through a series of contract which themselves were unstable,” the committee wrote. “This approach was perhaps to be expected given that neither organization, according to produced documentation, performed the lever of oversight needed to ensure the program continued to fulfill its purpose and meet stakeholder needs.”

The Committee also requested DHS and MITRE perform biennial reviews of the CVE program “to ensure its effectiveness and stability.”

“Since the CVE program’s inception, the nature of cybersecurity threats it is meant to address has drastically evolved. So, too, have stakeholders’ needs. Yet the scope and mission of the CVE program have not undergone similar transformation,” the Committee wrote. “By conducting regular reviews of the program, officials would be able to develop short, medium and long-term goals and then evaluate their progress at achieving those goals.”

However, even these changes to so-called “root-causes” of the CVE program’s issues weren’t enough for all experts. K. Reid Wightman, vulnerability analyst at Dragos Inc., said on Twitter the recommendations showed “the wildly inaccurate CVSS scores that accompany most CVEs was out of scope,” but added he would be “glad if some progress is made on assignments at least.”

DHS and MITRE have until Sept. 4 to respond to the recommendations made by the E&C Committee.

Kaspersky-Russian ties still unclear despite FBI push

Concerns over how the FBI has handled the investigation into potential Kaspersky-Russian ties has led to some experts saying the FBI should be more transparent with evidence before the it continues its push to get private companies to abandon Kaspersky Lab products.

Fear over potential Kaspersky-Russian ties has already led to Kaspersky Lab being removed from the list of approved U.S. government vendors. According to a new report, U.S. officials are not happy with how the FBI has conducted the subsequent investigation into Kaspersky Labs, saying the FBI has been too overt in attempts to get private companies to stop using the products.

A Kaspersky Lab spokesperson denied Kaspersky-Russian ties and said it would be “extremely disappointing” if the alleged briefings between the FBI and private companies actually occurred.

“The company doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against Kaspersky Lab,” the spokesperson told SearchSecurity. “The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.”

According to reports by CyberScoop, former U.S. officials claim the FBI has deliberately leaked information and been hyperbolic in classified congressional briefings as a way to build support for its accusations of Kaspersky-Russian ties.

Kaspersky Lab said it has tried to be accommodating to the FBI’s investigation.

“CEO Eugene Kaspersky has repeatedly offered to meet with government officials, testify before the U.S. Congress and provide the company’s source code for an official audit to help address any questions the U.S. government has about the company, but Kaspersky Lab has only received a general reply from one agency at this time,” the spokesperson said. “The company simply wants the opportunity to answer any questions and assist all concerned government organizations with any investigations, as Kaspersky Lab ardently believes a deeper examination of the company will confirm that these allegations are completely unfounded.”

The FBI did not respond to requests for comment at the time of this post.

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said opening the code base probably wouldn’t allay concerns of Kaspersky-Russian ties.

“If there’s any lesson here for foreign companies it’s that the public burden of proof for the FBI to come after you is very low,” Williams told SearchSecurity. “It’s hard to see how this won’t eventually hurt U.S. companies in other countries.”

Experts debate the FBI case regarding Kaspersky-Russia ties

Williams added that if the FBI has evidence to support its claims of Kaspersky-Russian ties, it should be more transparent.

“So far I don’t think we’ve seen much of the case at all, so I’m not sure what we can say [about the FBI’s case]. What’s been released so far is less than convincing,” Williams told SearchSecurity. “The whole public case seems to be that Kaspersky execs have ties to Russian intelligence earlier in their careers. That ‘connection to intelligence’ applies to a huge number of U.S. firms.”

Tom Kellermann, CEO of Strategic Cyber Ventures, said he believes the FBI has the best interest of the public in mind and may not be able to release more information.

“If the FBI were to disclose all evidence, they would violate classification laws, which would hurt the U.S. government’s capacity to leverage counter intelligence campaigns against the Russians,” Kellermann told SearchSecurity. 

The whole public case seems to be that Kaspersky execs have ties to Russian intelligence earlier in their careers. That ‘connection to intelligence’ applies to a huge number of U.S. firms.
Jake Williamsfounder, Rendition InfoSec LLC

Hank Thomas, partner and COO at Strategic Cyber Ventures, said dissecting federal investigations could “risk blowing tremendously complicated and expensive intelligence and counterintelligence operations.”

“Kaspersky should firewall off his firm further from anything Russia, become far more transparent, and bring in trusted leadership to run the company if he ever hopes to turn things around. But I doubt even that will help at this point,” Thomas told SearchSecurity. “Even his industry colleagues, many competitors that have tried to defend him for years have given up. One in particular has shared with me that they have clear indications that Kaspersky products are totally compromised by the Russian security services.”

Willy Leichter, vice president of marketing at Virsec, said that given the high stakes in the Kaspersky-Russia investigation, “the FBI should be more cautious and transparent if there is hard evidence.”

“Many U.S. security companies have ties with government agencies, that have at times raised eyebrows, such as RSA’s alleged backdoors to the NSA for widely used encryption algorithms,” Leichter told SearchSecurity. “Unfortunately, complex cyber technology issues lead to easy political grandstanding, as few people understand the underlying technology. If substantiated, the allegations against Kaspersky are obviously serious. But without clear evidence, this could easily harm the broader security industry that relies on global cooperation to be effective.”

Williams said the FBI shouldn’t keep information closed off to the public.

“I have little doubt that the FBI is presenting additional information to some U.S. companies about why Kaspersky products are dangerous. But if Kaspersky is facilitating spying with the Russian government, then they (and the Russian government) already know what is being briefed,” Williams said. “Only the public lacks the data to make an informed decision. But the argument that the FBI sharing data in closed circles will protect sources and methods seems hollow.”