Banking trojan breaches airport VPN

Powered by SC Magazine
 

Citadel attack beat two-factor authentication.

Hackers have breached a major international airport's virtual private network (VPN) using the Citadel trojan, typically reserved for financial theft.

Security firm Trusteer discovered the attack, which launched a two-step assault on its victims in order to compromise the airport's VPN.

The man-in-the-browser (MITB) assault first used form-grabbing malware -- used to hijack data entered into web forms -- to steal the airport employees' VPN usernames and passwords, Amit Klein, Trusteer's chief technology officer, said in a blog post.

Next, screen-capturing technology was employed to take a snapshot of an image created by the VPN's strong authentication product.

The unnamed airport's VPN authentication product allowed one of two authentication options: airport employees could either login using a one-time password, which the form-grabbing component could steal, or login via an on-screen CAPTCHA of 10 digits.

The later option would engage the malware's screen- capturing feature, allowing the criminal to figure out the targeted user's original PIN, and generate their one-time password to access the VPN.

The airport, which has not been revealed for security purposes, went quickly into lock-down mode after the malware was discovered, shutting down the VPN site for users.

“Trusteer has notified airport officials and the relevant government agencies of this attack,” Klein wrote. “Due to the sensitive nature of these systems, the airport immediately disabled remote employee access through this VPN site – the site is currently down.”  

Oren Kedem, director of product marketing for Trusteer, said Tuesday that airport officials were notified of the malware attack last week. The Citadel trojan has primarily been used to commit banking fraud.

He told iTnews' sister publication, SCMagazine.com, that the potential motives of the airport attack were vast. 

“There are a lot of options here that are disconcerting, if you can think of what data they can reach and what the motivation for using that data is,” he said.

“A list of employees is probably an easy answer,” he added. "Maybe they are looking for someone to approach to do trafficking or criminal activity.

"They may want access to airport systems, like freights or luggage, or special clearances or documents that relate to security processes – even the employee hiring processes. There is so much stuff on internal systems which, individually, is troubling."

The case also highlights the vulnerability of endpoint devices, like personal laptops or computers, used to remotely access VPNs. 

Kedem said the attack did not include mobile malware, though any devices managed outside an organization can be compromised if proper security is absent.

“The endpoints in general, whether mobile or otherwise, are the weakest link in the security chain,” Kedem said.

“The lesson learned from this attack, and others we've seen, is you have to protect the unmanaged device – any device outside the perimeter of your organisation – whether it be mobile devices or not.”

In addition to using endpoint cybercrime prevention software, Kedem also advises users to abide by standard practices for preventing infection: avoid opening unknown attachments or clicking links in emails.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Banking trojan breaches airport VPN
 
 
 
Top Stories
Business-focused Windows 10 brings back the Start menu
Microsoft skips 9 for the "greatest enterprise platform ever".
 
Feeling Shellshocked?
Stay up to date with patching for the Bash bug.
 
Amazon forced to reboot EC2 to patch Xen bug
Rolling restarts over next week.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  66%
 
Advanced persistent threats
  4%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1364

Vote