Banking trojan breaches airport VPN

Citadel attack beat two-factor authentication.

Hackers have breached a major international airport's virtual private network (VPN) using the Citadel trojan, typically reserved for financial theft.

Security firm Trusteer discovered the attack, which launched a two-step assault on its victims in order to compromise the airport's VPN.

The man-in-the-browser (MITB) assault first used form-grabbing malware -- used to hijack data entered into web forms -- to steal the airport employees' VPN usernames and passwords, Amit Klein, Trusteer's chief technology officer, said in a blog post.

Next, screen-capturing technology was employed to take a snapshot of an image created by the VPN's strong authentication product.

The unnamed airport's VPN authentication product allowed one of two authentication options: airport employees could either login using a one-time password, which the form-grabbing component could steal, or login via an on-screen CAPTCHA of 10 digits.

The later option would engage the malware's screen- capturing feature, allowing the criminal to figure out the targeted user's original PIN, and generate their one-time password to access the VPN.

The airport, which has not been revealed for security purposes, went quickly into lock-down mode after the malware was discovered, shutting down the VPN site for users.

“Trusteer has notified airport officials and the relevant government agencies of this attack,” Klein wrote. “Due to the sensitive nature of these systems, the airport immediately disabled remote employee access through this VPN site – the site is currently down.”  

Oren Kedem, director of product marketing for Trusteer, said Tuesday that airport officials were notified of the malware attack last week. The Citadel trojan has primarily been used to commit banking fraud.

He told iTnews' sister publication, SCMagazine.com, that the potential motives of the airport attack were vast. 

“There are a lot of options here that are disconcerting, if you can think of what data they can reach and what the motivation for using that data is,” he said.

“A list of employees is probably an easy answer,” he added. "Maybe they are looking for someone to approach to do trafficking or criminal activity.

"They may want access to airport systems, like freights or luggage, or special clearances or documents that relate to security processes – even the employee hiring processes. There is so much stuff on internal systems which, individually, is troubling."

The case also highlights the vulnerability of endpoint devices, like personal laptops or computers, used to remotely access VPNs. 

Kedem said the attack did not include mobile malware, though any devices managed outside an organization can be compromised if proper security is absent.

“The endpoints in general, whether mobile or otherwise, are the weakest link in the security chain,” Kedem said.

“The lesson learned from this attack, and others we've seen, is you have to protect the unmanaged device – any device outside the perimeter of your organisation – whether it be mobile devices or not.”

In addition to using endpoint cybercrime prevention software, Kedem also advises users to abide by standard practices for preventing infection: avoid opening unknown attachments or clicking links in emails.

This article originally appeared at scmagazineus.com