Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/11/2017
01:58 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

APT28 Uses EternalBlue to Spy on Hotel Wifi Networks

Hacker group APT28 is using the EternalBlue hacking tool to spread throughout hotel networks and collect guests' information.

If you're not yet skeptical of hotel wifi networks, APT28 is giving you a good reason to think twice before logging on. The Russian hacker group, otherwise known as Fancy Bear, is reportedly gaining control of those networks and using its access to spy on guests.

FireEye, which has been watching the group, saw signs indicating APT28 is trying to compromise government and business travelers through access to hotels' guest wifi networks. The security firm attributes this campaign to APT28 "with moderate confidence."

APT28 is using a few notable techniques in these attacks against the hospitality sector, including sniffing passwords from wifi traffic and poisoning the NetBIOS Name Service. This time it's also using the EternalBlue exploit, an alleged NSA hacking tool leaked by ShadowBrokers and recently used to spread WannaCry and NotPetya malware campaigns.

It's a new move for the group, says Ben Read, FireEye's manager for cyberespionage analysis. This is the first time APT28 has used EternalBlue, which "makes it easy to move to vulnerable systems," he explains.

Attackers use spearphishing to enter hotel networks. FireEye uncovered a malicious document targeting hospitality businesses, including hotels in seven European countries and one in the Middle East. The document, called Hotel_Reservation_Form.doc, is likely opened by someone at the reservation desk. If successfully executed, the macro installs APT28's Gamefish malware.

Once inside, attackers move laterally to detect machines that control both guest and internal wifi networks. When they find them, they deploy Responder, which simplifies credential theft.

"Responder is deployed manually," says Read. "The reason you deploy Responder is to steal passwords from people who are connected to the network."

Responder is an open-source tool that enables NetBIOS Name Service poisoning, which looks for computers attempting to connect to network resources. When it detects a victim trying to connect to a printer or shared file, for example, it pretends to be that resource and causes the victim machine to send its username and hashed passwords.

APT28 used Responder to steal credentials, which allowed them to escalate privileges within the victim network. It leveraged EternalBlue to spread laterally throughout the network and find target machines. Victims' credentials could be stolen remotely or by using a machine in physical proximity to, and on the same network as, the target device.

"Once they have credentials, what they can get into depends on how the network is set up," says Read. Under the right circumstances, attackers could remotely log into a victim's computer and deploy malware, or log into a target Outlook account. This would be possible using single-factor authentication and no interaction with the victim.

However, it may be impossible to use credentials for accessing these accounts if the victim is using a VPN or has enabled two-factor authentication.

Cyberattacks on the hospitality industry can be used to collect information on target hotels but usually aim to steal data from guests. Read believes this is the case with APT28's recent activity, though researchers have not determined the ultimate purpose of the targeting in this campaign.

"The hotels targeted were middle-to-upper market in European capitals," he explains. "This was likely targeting the type of people staying there, like diplomats or business leaders."

It's a warning for travelers, especially business or government personnel, to buckle down on security. "You run a risk any time you connect to a wifi network not controlled by your company," Read warns. He advises travelers to avoid opening suspicious documents or enabling macros, and to travel with a hotspot rather than rely on hotel wifi.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.