Vulnerabilities / Threats //

Advanced Threats

11/10/2014
03:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Korean-Speaking Cyberspies Targeting Corporate Execs Via Hotel Networks

Researchers unmask the inner workings of "Darkhotel," a unique seven-year-old cyber espionage campaign against C-level executives from various nations as they travel in the Asia-Pacific region.

Corporate executives from around the world are being individually tracked and targeted on the road in an intriguing cyber espionage attack campaign where the attackers know the hotels their targets are staying and stage attacks from the establishments' networks.

More than a couple of dozen hotels' physical and WiFi networks in the Asia-Pacific region have been infiltrated by the so-called Darkhotel or Tapaoux hacker group, which appears to be Korean-speaking, according to findings shared today by Kaspersky Lab. More than 90% of the victim organizations have been from Japan, Taiwan, China, Russia, and Hong Kong, though the researchers also have found some German, American, Indonesian, Indian, and Irish execs who have been affected. Japan has the heaviest volume of victims, and just under two dozen executives so far have been confirmed as victims, according to Kaspersky researchers.

The attackers employ a mix of highly targeted and botnet-type techniques, infecting hotel networks and then waging their attacks from those locations when specific execs -- some CEOs, senior vice presidents, sales and marketing directors, and R&D execs from major companies -- check into their hotels. The botnets are for surveillance, DDoS, or downloading more sophisticated information-stealing malware on to their victims' machines. The attacks via hotel networks have been under way for at least four years and are still ongoing, according to Kaspersky, but the group has been waging other forms of attack for at least seven years.

"Multiple hotels in multiple countries in the APAC as of right now" are being hit by Darkhotel, says Kurt Baumgartner, principal security researcher at Kaspersky Lab, who would not name the victims or hotels involved. "But our investigation is ongoing, and we have a strong belief that it is [occurring] elsewhere" outside the Asia-Pacific region, as well.

Baumgartner says a keylogger used in the attacks appears to be written by a Korean-speaking developer, and the data discovered on the command and control servers used in the attacks have Korean language in the data strings. "You've got a number of individuals involved here who are Korean-speaking and the attacks are happening in the APAC region." He stopped short of confirming the attackers were a Korean nation-state.

And when they infect a Korean-speaking target, the attackers delete the malware -- an indication that they are avoiding friendly fire.

Hotel networks and WiFi -- like any public WiFi -- is notoriously risky. Tom Kellermann, chief cyber security officer at Trend Micro, says hotel wireless networks have been under siege by criminals and spies for a long time. "Travelers should be tremendously dubious of hotel, train, and airport WiFi. These locations have become the ideal hunting grounds for opportunists and nation-states alike. This campaign represents nothing new."

CrowdStrike issued a related warning today about hotel networks and other WiFi to participants in the upcoming G20 Global Leaders Summit, which will be held Nov. 15 and 16 in Brisbane, Australia. With hotels in Brisbane at capacity, many attendees will be lodging outside the city and be shuttled to and from the meetings, leaving them at risk during their travel back and forth, says CrowdStrike's Adam Meyers. In its advisory, CrowdStrike says that the likelihood of attacks via "social engineering, shoulder surfing, or certain Wi-Fi and mobile attacks (exploiting hotel networks, for example)" increases due to the travel.

The Darkhotel gang pushes infected Adobe Flash, Google Toolbar, or Windows Messenger updates to a targeted exec when he or she logs into the hotel's physical or WiFi network. If the exec downloads the update, a backdoor gets planted on the machine. The Adobe Flash update, for example, is actually digitally signed so that it will appear legitimate.

"They used some heavy math which was pretty impressive at the time to sign their malware with their weak [512-bit key] certificates. Now they are outright stealing legitimate 2,048-bit certificates from legitimate organizations... to sign their malware," Baumgartner says.

The attackers also download the Karba Trojan with an information-stealing module and other malware to conduct reconnaissance on the executive's machine, looking for AV software, cached browser and email passwords, and any other sensitive information. The attackers infect each victim only once, and they delete any trace of their activity after they've pilfered what they want from the victim. Kaspersky recently discovered attacks against US and Asian execs traveling on business in the APAC region for investment or other purposes. So far, Darkhotel appears to be targeting execs in government, defense, and non-governmental organizations.

"These guys are professional, well-organized, and methodical," Baumgartner says. "They know what they're after. They don't need to go after a victim again" once they've accessed what they need.

Darkhotel Victims
(Image: Kaspersky Lab)
(Image: Kaspersky Lab)

The cyber espionage gang also previously used spearphishing attacks and poisoning of peer-to-peer networks to hit their targets.

In another unusual strategy, one of the downloaders delays command and control communications by the infected machine for 180 days. "If a special file exists on the system, the module will not start calling back to the C&C server until the special file is 180 days old," Kaspersky says in its detailed report on Darkhotel.

"We've seen delays of five days, maybe a week. But we don't see 180 days," Baumgartner says. "That may be so that when an executive returns to his [office] and his laptop gets inspected, they don't want any outbound traffic. They've already gotten what they wanted and don't need to look for anything."

Kaspersky recommends using a VPN on WiFi or other networks on the road, and to be suspicious of any application updates that pop up.

But Ian Pratt, co-founder and executive vice president of products at Bromium, says a VPN can't necessarily prevent a WiFi-borne attack.

"Most WiFi networks require you to successfully sign in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised," Pratt says. "Bringing a VPN up at this point plays directly into the attackers' hands, bringing the infection onto the enterprise network."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
thibault.reuille
50%
50%
thibault.reuille,
User Rank: Apprentice
11/26/2014 | 5:17:30 PM
More confirmation....
Interesting perspective on the DarkHotel threat. The OpenDNS research team also recently unveiled some of their findings on the Labs blog. We've had a couple of researchers investigate on the matter. Glad to see we are not the only ones!
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/12/2014 | 8:39:21 AM
Re: Very dangerous
Good point. I think we are at a point where if you are a corporate exec travelling abroad on business  you should assume that there will be efforts to compromise your devices
SandraP573
50%
50%
SandraP573,
User Rank: Apprentice
11/12/2014 | 6:23:57 AM
breach
I don't know much about encryption to be honest  but i do know it is important and can save your data from loss and that is why i use encryption. Data protection is the software i use for encryption. Good software.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
11/11/2014 | 1:48:28 AM
Portable Satellite Terminals
It's time corporate execs stepped out of the hotel network world and into satellite broadband, particularly private satellite access.  It's surprising that, at the salaries many execs command and the revenue these companies are generating, portable satellite terminals are not more common.  Encrypted satellite access with high-speed Internet access is readily available.

Of course, while travelling, it's not uncommon for people to not want certain traffic to be going over their company network, so no matter how hard you try to secure your exec's line, you may still fail depending on what their extra-curricular Internet activities are.  Their choice, but the wrong one.

Which leads me to the assertion that execs who want to travel and use any type of electronic equipment to do business need to be locked down and locked out.  That is, if they want to access the Internet on a company device, then it has to be over secure satellite broadband, on a device that will not access certain sites or allow certain types of traffic.  If they want the extra-curricular stuff, they'll just have to find another device to do it on.

This is nothing shocking - I see wireless connections all the time at hotels that are named so close to the real network that you could easily make the mistake.  All the shadow has to do is emulate the password scheme (generally your room number or last name) or allow anything to act as a password, and they have you.  Tip to the wise:  Stay off all public networks while travelling, lock down your execs' devices, and encrypt all traffic and local data, just for the extra oomph. 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
11/10/2014 | 6:10:13 PM
Very dangerous
The discovery doesn't surprise me, the practice is old and it is managed by cyber spies and cyber criminals for a long time. Like Kurt Baumgartner, I'm surprised by the Darkhotel APT's indiscriminate backdoor spreading.

I have many doubts regarding the real origin of the specific APT
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.