Cybercriminals have found a way to circumvent the multi-factor authentication systems used to protect business VPNs, according to security firm Trusteer, which has reported a recent targeted attack on an airport network using this method.
For security reasons, Trusteer doesn’t reveal the name of the airport, but the attack involved an innovative mixture of standard VPN login grabbing using the Citadel Trojan followed by screen scraping to discover the one-time password (OTP) presented by the gateway authentication system.
The OTP presented was in the form of an on-screen CAPTCHA using 10 digits embedded in an image, hence the need to grab it as a bitmap rather than by intercepting keyboard presses.
According to Trusteer, the unnamed authentication system used a dual-channel approach, offering users the choice of having the OTP sent via the PC (in-band) or to a mobile as an SMS (out-of-band).
The Citadel attack would only work where the PC/in-band option was chosen, which in this case happened to be the default access authentication method for airport employees.
That an airport was attacked was not coincidental, Trusteer said, which means that the criminals were seeking access to the VPN because it was a way into the organisation's systems.
“Once an attacker steals a victim’s VPN credentials they can login as the authorized user and have unfettered access to the information and resources associated with the account,” said Trusteer’s Amit Klein, underlining the obvious security threat.
“It also demonstrates how enterprises that rely on strong authentication approaches are still at risk from targeted attacks if they lack cybercrime prevention security on endpoint devices,” he said.
The significance of the attack (apart from the intriguing airport theme) is that criminals have figured out how to get round two-factor authentication using the simple principle of screen grabbing. This is not unheard of but its use in the field to target business systems is still unusual.
It is also possible to infer that in this incident that weaknesses in the authentication system used to defend the VPN were part of the targeting.
Because the specific authentication CAPTCHA was derived from a static PIN (i.e was a random variation on that PIN), capturing the master CAPTCHA allowed the criminals to reverse engineer the OTP, which meant that access could happen at any point in time, even when the OTP had apparently expired.
The choice of the Citadel banking Trojan is interesting. The software's creators have repotedly developed the malware on an open source platform which is probably why their handiwork now turns up as a ocmpeonnent of all sorts of attacks. Citadel is like a sort of 'drop-in' keylogger.