Citadel Malware Targets Password Management Applications

December 9, 2014 Lavi Lazarovitz

By Lavi Lazarovitz

Faced with the prospect of remembering passwords for multiple websites and offline applications, people are increasingly using password managers so they don’t have to remember their credentials. While a significant convenience, they also represent a valuable target for hackers – compromising these password managers can give attackers user credentials that can lead to sensitive personal and business assets.

Password managers like KeePass for instance, allow users to create a password-secured database containing listings of user names and passwords. Password managers can be a suitable place for private accounts credentials like Facebook and Twitter, and in some cases, work stations and network access credentials.

However, according to a recent Computerworld article, Citadel malware is infamous for compromising “online banking credentials and other financial information by modifying banking sites on the fly when opened by users in their local browsers.” To compromise password managers, the malware was reconfigured to initiate key-logging when the managers are running, hence granting the attackers access to the secure passwords database.

This type of compromise does not give an attacker direct access to a target network, but provides a foot in the door by collecting business credentials that are often re-used for corporate assets.

Through this, attackers have turned another security obstacle into a possible jackpot.

Access to core assets requires privileged credentials – cyber attackers know this which is why they’re highly sought after.  These credentials, either collected from password managers or sniffed out somewhere else, allow the attackers to easily maneuver and even manipulate the businesses very own defenses such as anti-virus and intrusion detections systems.

So what should be the best practice of handling sensitive passwords?

The short answer is: take the user out of the equation

The first part of the problem is how to store sensitive passwords – in this case, privileged accounts. Take our Enterprise Password Vault for example. The architecture itself works like a bank vault. Each vault contains a collection of user-defined ‘safes’ where access is limited to a user or group. This means that each user or group may manage their own passwords without giving unwanted access to other parties within the organization. The Vault is bastion-hardened, allowing only CyberArk-specific traffic in and out, and all credentials are encrypted within the individual safes. For further security, all key management is maintained by the system and every password is encrypted using a different key. Additionally, a variety of workflows can be established before a safe is used or accessed, including direct force reasoning, dual control, among others. You can get a full list here.

The second part of the problem is making sure passwords are never exposed and this can be done in a number of ways. The most basic way is by using one-time passwords, where exposure is pointless since the password won’t work beyond the initial use.  Since this isn’t always possible based on practical business needs, it’s important to have the ability to connect the credential management system directly with devices and applications so the user never has to see, copy or enter a password.

Attackers can dynamically modify their attack vectors endlessly, evading sophisticated intrusion detection systems just by using compromised legitimate credentials. The best practice for businesses is to securely store credentials and conceal them from end users to reduce the risk of losing them to the wrong hands. A comprehensive privileged account security solution is a good start. For more, have a read through our approach.

Previous Article
NIST Recommendations for Securing Virtual Environments: Don’t Forget about Privileged Accounts
NIST Recommendations for Securing Virtual Environments: Don’t Forget about Privileged Accounts

By John Worrall Business-critical data increasingly is being moved to the cloud, which is why the new NIST ...

Next Article
Every Industry, Every Company is a Potential Target of an APT Attack
Every Industry, Every Company is a Potential Target of an APT Attack

By John Worrall [blockquote cite=”Craig Williams” caption=” Cisco Talos Security Intelligence and Research ...