Russian hackers accused of ransacking the US Democratic party’s servers last year may now be targeting hotels in Europe and the Middle East, it is claimed.
Miscreants are using various techniques, including the leaked NSA EternalBlue exploit also wielded by the WannaCry malware, to hack into laptops and other devices used by government and business travelers, FireEye researchers declared on Friday.
Whoever is behind the attacks has been “sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit,” said the infosec biz’s Lindsay Smith and Ben Read.
To get onto the hotel networks without having to physically loiter around the building, the hackers apparently sent booby-trapped spear-phishing emails to hotel staff in at least seven European countries and one Middle Eastern nation. Opening the email’s .doc attachment dropped malware dubbed Gamefish, a tool often used by APT28, a Kremlin-backed hacker gang, according to FireEye.
Once running on a hotel machine, the malware is instructed by its masterminds to find and infect the equipment that controls the internal and guest Wi-Fi networks, so it can be used to attack people of interest.
Smith and Read say they have “moderate confidence” that this is all the handiwork of APT28, a group linked to Russian military intelligence, due to the presence of Gamefish. The attacks – whoever is behind them – have been running for around a year, according to FireEye, which concluded:
These incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges. APT28’s already wide-ranging capabilities and tactics are continuing to grow and refine as the group expands its infection vectors.
Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.
Chris Wysopal, cofounder and CTO at app security firm Veracode, added: “After the havoc that arose from the WannaCry and NotPetya attacks, it’s not surprising that notorious cyber gangs are finding new ways to use the NSA’s EternalBlue exploit to support their criminal activities. The EternalBlue exploit has been shown to be extremely effective at spreading malware infections to other unpatched Microsoft systems.
“With three attacks using this exploit having occurred over just the past few months, we’re likely to see cybercriminals continuing to deploy it until devices are patched and it is no longer an effective vector for them to spread malware.”