Airport VPN hacked using Citadel malware

By on
Airport VPN hacked using Citadel malware

Attack beat two-factor authentication.

The pervasive Citadel trojan, typically reserved for financial theft, was used to beat two-factor authentication and hack into the virtual private network (VPN) of a major international airport, researchers revealed.

Security firm Trusteer discovered the attack, which launched a two-step assault on its victims in order to compromise the airport's VPN.

The man-in-the-browser (MITB) assault first used form-grabbing malware, which steals data entered into web forms before it is passed over the internet, to steal the airport employees' VPN usernames and passwords, Amit Klein, Trusteer's chief technology officer, said in a blog post.

Next, screen-capturing technology was employed to take a snapshot of an image created by the VPN's strong authentication product.

The malware covered all the bases, as the unnamed airport's VPN authentication product allowed one of two authentication options: Airport employees could either login using a one-time password, which the form-grabbing component could steal, or login via an on-screen CAPTCHA of 10 digits.

The later option would engage the malware's screen- capturing feature, allowing the criminal to figure out the targeted user's original PIN, and generate their one-time password to access the VPN.

The airport, which has not been revealed for security purposes, went quickly into lock-down mode after the malware was discovered, shutting down the VPN site for users.

“Trusteer has notified airport officials and the relevant government agencies of this attack,” Klein wrote. “Due to the sensitive nature of these systems, the airport immediately disabled remote employee access through this VPN site – the site is currently down.”  

Oren Kedem, director of product marketing for Trusteer, said Tuesday that airport officials were notified of the malware attack last week. The Citadel trojan has primarily been used to commit banking fraud.

He told SCMagazine.com that the potential motives of the airport attack were vast. 

“There are a lot of options here that are disconcerting, if you can think of what data they can reach and what the motivation for using that data is,” he said.

“A list of employees is probably an easy answer,” he added. "Maybe they are looking for someone to approach to do trafficking or criminal activity. They may want access to airport systems, like freights or luggage, or special clearances or documents that relate to security processes – even the employee hiring processes. There is so much stuff on internal systems which, individually, is troubling."

The case also highlights the vulnerability of endpoint devices, like personal laptops or computers, used to remotely access VPNs. 

Kedem said the attack did not include mobile malware, though any devices managed outside an organization can be compromised if proper security is absent.

“The endpoints in general, whether mobile or otherwise, are the weakest link in the security chain,” Kedem said. “The lesson learned from this attack, and others we've seen, is you have to protect the unmanaged device – any device outside the perimeter of your organization – whether it be mobile devices or not.”

In addition to using endpoint cybercrime prevention software, Kedem also advises users to abide by standard practices for preventing infection: avoid opening unknown attachments or clicking links in emails.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?