Russian hackers used NSA’s leaked EternalBlue exploit to spy on hotel guests – CSO Online

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Your message has been sent.

There was an error emailing this page.

A Russian government-sponsored cyberespionage group has been accused of using a leaked NSA hacking tool in attacks against one Middle Eastern and at least seven European hotels in order to spy on guests.

Why reinvent the wheel, or a hacking tool, when the NSA created such an effective one? The NSAs EternalBlue was leaked online by the Shadow Broker in April. Now the security firm FireEye says it has a moderate confidence that Fancy Bear, or APT28, the hacking group linked to the Russian government and accused of hacking the Democratic National Committee last year, added EternalBlue to its arsenal in order to spy on and to steal credentials from guests at European and Middle Eastern hotels.

In a campaign aimed at the hospitality industry, attackers leveraged a malicious document in spear-phishing emails. The hostile hotel form, which Microsoft Threat Intelligence Center General Manager John Lambert tweeted about in July, appeared to be a hotel reservation document. If macros were allowed to run on the computers used by the hotel employees who opened it, then Fancy Bears Gamefish malware would be installed.

Fancy Bear, according to a report by the security firm FireEye, used novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks.

The Gamefish malware would download and run EternalBlue to spread to computers which were connected to corporate and guest Wi-Fi networks. After gaining access, Fancy Bear deployed Responder which listens for broadcasts from victim computers attempting to connect to network resources. Responder, FireEye explained, masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine.

Its definitely a new technique for Fancy Bear, FireEyes cyber espionage researcher Ben Read told Wired. Its a much more passive way to collect on people. You can just sit there and intercept stuff from the Wi-Fi traffic.

While FireEye didnt observe business travelers credentials being stolen via hotel Wi-Fi networks in July, the security firm cited a similar hotel attack by Fancy Bear in 2016.

In the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network.

The latest hotel attacks, FireEye added, is the first time we have seen APT28 incorporate this exploit [EternalBlue] into their intrusions. While the investigation is still going on, FireEye told Reuters it is moderately confident that Fancy Bear is behind the attacks. We just don't have the smoking gun yet.

The targeted hotels were not named, but were described as the type where valuable guests would stay. FireEye told Wired, These were not super expensive places, but also not the Holiday Inn. Theyre the type of hotel a distinguished visitor would stay in when theyre on corporate travel or diplomatic business.

FireEye wants travelers, such as business and government personnel, to be aware of the threats like having their information and credentials passively collected when connecting to a hotels Wi-Fi. While traveling abroad, high value targets should take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible. Wired suggested the safest approach for travelers is to bring their own hotspot and altogether skip connecting to the hotels Wi-Fi.

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.