FireEye researchers report that the Russian APT28 hacker group, also known as Fancy Bear, has been targeting hotels throughout Europe and the Middle East since at least July 2017.
“The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit,” the researchers wrote.
The attack starts with a spear phishing email sent to the target hotel, with an attached document named Hotel_Reservation_Form.doc. If the macro in the attached document is executed, it installs APT28’s GAMEFISH malware.
“Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,” the researchers wrote. “No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.”
Targeting User Credentials
After the attackers gain access to the target networks, they leverage the open source Responder tool to masquerade as a network resource and intercept usernames and passwords, then use those usernames and passwords to escalate privileges within the network.
To spread through the target’s network, APT28 uses a version of the EternalBlue exploit. The FireEye researchers said this is the first time the hacker group has been seen leveraging EternalBlue as part of their attacks.
These attacks show that APT28 is continuing to refine and grow its capabilities, the researchers said. “Travelers must be aware of the threats posed when traveling — especially to foreign countries — and take extra precautions to secure their systems and data,” they wrote. “Publicly accessible Wi-Fi network present a significant threat and should be avoided whenever possible.”
Using Public Wi-Fi
Still, a recent Bitglass study demonstrated that users aren’t taking appropriate precautions. The researchers set up unsecured Wi-Fi hotspots in random public places to assess user response — and found that one in five users connected to the unsecured hotspots.
Over 11 percent of users accessed enterprise cloud applications over the unsecured Wi-Fi, including Office 365, Salesforce, Adobe Marketing Cloud, ADP, Slack and Asana — and two users connected to known malware hosts.
A separate Bitglass study of cloud applications used by the company’s customers found that 19 percent of corporate data stored in Dropbox is publicly available, and 51 percent of data stored in Google Drive is shared with people outside the enterprise.
“Over the past several years, organizations have enabled employee mobility and collaboration by deploying cloud,” Bitglass CEO Rich Campagna said in a statement. “A single risky login or unauthorized share can subvert a company’s entire security investment.”
A separate AlertSec survey of more than 800 U.S. consumers found that fully 46 percent of respondents admitted to lax security practices — 13.2 percent have left their laptops unattended, 5.4 percent have physically attached login information to their laptops, and 4.3 percent have flown with a laptop in their checked luggage.
Over 14 percent of respondents said they keep work files on their laptops, 10.1 percent keep credit card and payment data on them, and 8.6 percent keep tax information on them.
“Our survey data shows that there are multiple points of exposure for laptop users, and the unfortunate reality is that hackers and cybercriminals are just waiting to take advantage of the information that is freely available on unprotected laptops,” AlertSec CEO Ebba Blitz said in a statement.