The Citadel Trojan is really starting to become kind of a pain in the neck. Not content to sit by and watch while its more well-known rivals Zeus and SpyEye get all the attention, the Citadel malware has begun showing up in some interesting places, with the latest example being the discovery of the Trojan being used to steal VPN credentials for internal users at a major airport.
The attack is a two-stage operation that is designed to defeat the strong authentication application that the airport had in place. Researchers at Trusteer discovered the attack and notified officials at the unnamed airport, who then disabled employee access through the VPN.
Airports are target-rich environments for attackers, thanks to their open wireless networks and the huge population of transient users who are all too eager to use them. Man-in-the-middle attacks on airports’ public networks are common, but this particular attack didn’t target the public network or users but instead went after the airport’s employees and their remote-access application. Getting access through any corporation’s VPN system is a huge win for an attacker, because once she comes in as an authenticated user, she enjoys all of the access ad privileges on the network that the victimized user does.
In this particular episode, the attackers used a couple of well-known techniques in order to circumvent the security measures the airport had in place and make off with the victims’ VPN credentials.
“This attack uses a combination of form grabbing and screen capture technologies to steal the victim’s username, password, and the one-time passcode generated by a strong authentication product (we have also contacted this vendor). The first part of the attack uses form grabbing to steal the username and password entered into the login screen. The second part of the attack relies on screen capture capabilities to take a snapshot of the image presented to the victim by the strong authentication product,” Amit Klein of Trusteer wrote in an analysis of the attack.
The product that the airport was using to provide strong authentication for employees gave each user two choices: log in with a username and a one-time password that’s sent via SMS or a smartphone app; or log in using a CAPTCHA-like image of 10 digits that the user maps to his own static password. The Citadel malware used the screen-capture tactic to defeat this.
“This security measure prevents the form grabber from capturing the actual static password. This is where the screen capturing feature in Citadel kicks in,” Klein said.