The pervasive Citadel trojan, typically reserved for financial theft, was used to beat two-factor authentication and hack into the virtual private network (VPN) of a major international airport, researchers revealed Tuesday.
Security firm Trusteer discovered the attack, which launched a two-step assault on its victims in order to compromise the airport's VPN.
The man-in-the-browser (MITB) assault first used form-grabbing malware, which steals data entered into web forms before it is passed over the internet, to steal the airport employees' VPN usernames and passwords, Amit Klein, Trusteer's chief technology officer, said in a blog post on Tuesday. Next, screen-capturing technology was employed to take a snapshot of an image created by the VPN's strong authentication product.
The malware covered all the bases, as the unnamed airport's VPN authentication product allowed one of two authentication options: Airport employees could either login using a one-time password, which the form-grabbing component could steal, or login via an on-screen CAPTCHA of 10 digits. The later option would engage the malware's screen- capturing feature, allowing the criminal to figure out the targeted user's original PIN, and generate their one-time password to access the VPN.
The airport, which has not been revealed for security purposes, went quickly into lock-down mode after the malware was discovered, shutting down the VPN site for users.
“Trusteer has notified airport officials and the relevant government agencies of this attack,” Klein wrote. “Due to the sensitive nature of these systems, the airport immediately disabled remote employee access through this VPN site – the site is currently down.”
Oren Kedem, director of product marketing for Trusteer, said Tuesday that airport officials were notified of the malware attack last week. The Citadel trojan has primarily been used to commit banking fraud.
He told SCMagazine.com that the potential motives of the airport attack were vast.
“There are a lot of options here that are disconcerting, if you can think of what data they can reach and what the motivation for using that data is,” he said.
“A list of employees is probably an easy answer,” he added. "Maybe they are looking for someone to approach to do trafficking or criminal activity. They may want access to airport systems, like freights or luggage, or special clearances or documents that relate to security processes – even the employee hiring processes. There is so much stuff on internal systems which, individually, is troubling."
The case also highlights the vulnerability of endpoint devices, like personal laptops or computers, used to remotely access VPNs.
Kedem said the attack did not include mobile malware, though any devices managed outside an organization can be compromised if proper security is absent.
“The endpoints in general, whether mobile or otherwise, are the weakest link in the security chain,” Kedem said. “The lesson learned from this attack, and others we've seen, is you have to protect the unmanaged device – any device outside the perimeter of your organization – whether it be mobile devices or not.”
In addition to using endpoint cybercrime prevention software, Kedem also advises users to abide by standard practices for preventing infection: avoid opening unknown attachments or clicking links in emails.