Banking trojan breaches airport VPN

Powered by SC Magazine
 

Citadel attack beat two-factor authentication.

Hackers have breached a major international airport's virtual private network (VPN) using the Citadel trojan, typically reserved for financial theft.

Security firm Trusteer discovered the attack, which launched a two-step assault on its victims in order to compromise the airport's VPN.

The man-in-the-browser (MITB) assault first used form-grabbing malware -- used to hijack data entered into web forms -- to steal the airport employees' VPN usernames and passwords, Amit Klein, Trusteer's chief technology officer, said in a blog post.

Next, screen-capturing technology was employed to take a snapshot of an image created by the VPN's strong authentication product.

The unnamed airport's VPN authentication product allowed one of two authentication options: airport employees could either login using a one-time password, which the form-grabbing component could steal, or login via an on-screen CAPTCHA of 10 digits.

The later option would engage the malware's screen- capturing feature, allowing the criminal to figure out the targeted user's original PIN, and generate their one-time password to access the VPN.

The airport, which has not been revealed for security purposes, went quickly into lock-down mode after the malware was discovered, shutting down the VPN site for users.

“Trusteer has notified airport officials and the relevant government agencies of this attack,” Klein wrote. “Due to the sensitive nature of these systems, the airport immediately disabled remote employee access through this VPN site – the site is currently down.”  

Oren Kedem, director of product marketing for Trusteer, said Tuesday that airport officials were notified of the malware attack last week. The Citadel trojan has primarily been used to commit banking fraud.

He told iTnews' sister publication, SCMagazine.com, that the potential motives of the airport attack were vast. 

“There are a lot of options here that are disconcerting, if you can think of what data they can reach and what the motivation for using that data is,” he said.

“A list of employees is probably an easy answer,” he added. "Maybe they are looking for someone to approach to do trafficking or criminal activity.

"They may want access to airport systems, like freights or luggage, or special clearances or documents that relate to security processes – even the employee hiring processes. There is so much stuff on internal systems which, individually, is troubling."

The case also highlights the vulnerability of endpoint devices, like personal laptops or computers, used to remotely access VPNs. 

Kedem said the attack did not include mobile malware, though any devices managed outside an organization can be compromised if proper security is absent.

“The endpoints in general, whether mobile or otherwise, are the weakest link in the security chain,” Kedem said.

“The lesson learned from this attack, and others we've seen, is you have to protect the unmanaged device – any device outside the perimeter of your organisation – whether it be mobile devices or not.”

In addition to using endpoint cybercrime prevention software, Kedem also advises users to abide by standard practices for preventing infection: avoid opening unknown attachments or clicking links in emails.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Banking trojan breaches airport VPN
 
 
 
Top Stories
Microsoft confirms Australian Azure launch
Available from next week.
 
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  27%
TOTAL VOTES: 262

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  62%
 
No
  38%
TOTAL VOTES: 82

Vote