Security Experts:

Citadel Trojan Linked to Attacks on VPN at International Airport

Citadel Trojan Targeting Airport VPNs

Trusteer is reporting that they have discovered a new attack utilizing the Citadel Trojan. According to a blog post from the security firm, Citadel is targeting an enterprise VPN belonging to a major international airport, but they have withheld the name.

Unfortunately, because the airport isn’t listed, the story opens itself to FUD – easily allowing anyone to claim that all VPN users within a given airport hub are at risk. However, that isn’t the case.

The Citadel attack is targeting airport employees – not passengers – in order to steal the credentials needed to access the airport’s VPN and internal applications. It’s also worth noting that these applications are not the ones used to fly the planes or anything so terroristic, more than likely the stolen authentication can be used within the reservation system, time clock, payroll, etc. Trusteer would not comment on the systems available to VPN access.

“This attack uses a combination of form grabbing and screen capture technologies to steal the victim’s username, password, and the one-time passcode generated by a strong authentication product (we have also contacted this vendor),” the blog post explains.

“This is a clever use of form grabbing and screen grabbing techniques by attackers. It also demonstrates how enterprises that rely on strong authentication approaches are still at risk from targeted attacks if they lack cybercrime prevention security on endpoint devices.”

Again, this does not appear to be a terrorism threat. Despite the blog itself mentioning the “potential impact on air travel, security, and border control,” even if the attack was successful it is unlikely the systems targeted would threaten anyone, unless overbooked flights and data theft count as an airline safety issue.

Either way, the airline suspended VPN access after they were alerted to the problem.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.