In a report compiled by researchers at FireEye, it appears it is not only cyber criminals using the leaked NSA tool commonly referred to as EternalBlue. Many will recognise the name as it is the vulnerability (CVE-2017-0143) that assisted in making the WannaCry and NotPetya attacks earlier this year international headlines. Since it was leaked into the wild by the hacking group the Shadow Brokers, EternalBlue has been used in various forms of malware campaigns whether ransomware or in Trojans and miningbots. EternalBlue leverages a vulnerability in Microsoft’s SMB version 1 networking protocol in order to spread laterally across networks in order to deliver a malicious payload. It was only to be a matter of time till researchers discovered it being used for cyber espionage purposes.
In this instance, it is been used to steal credentials from high-value guests staying in hotels across Europe. The security researchers at FireEye believe with moderate confidence the hackers belong to the hacking group Fancy Bear who has been operational since 2007.
Fancy Bear or ATP28
The hacking group is widely believed to be Russian with links to the Russian intelligence service GRU. They have widely been attributed to the US Democratic National Committee hack and the hacking of Hillary Clinton’s campaign chairman John Podesta’s email account which has been seen internationally as an attempt to unduly influence the last American Presidential Election. While certainly an infamous feather in the group's cap they are also widely believed to be behind cyber-attacks against NATO and the German Bundestag. The group appears to also go by ATP28, Sofacy, Sednit, Tsar Team, Pawn Storm, or Strontium.
One of the key reasons to believe Fancy Bear is behind this campaign is the use of the malware GameFish. GameFish has been used to great effect previously by the group in prior hacks and is almost like a calling card for the group.
The latest campaign
The attack begins with a spear phishing email campaign sent to employees within the hotel and leisure industry. The email contains a malicious document named "Hotel_Reservation_Form.doc," which uses macros to decode and deploy GameFish. Once installed on the victim's system GameFish uses EternalBlue to spread laterally across the network in order to find the systems which control the guest and internal Wi-Fi networks.
Once the systems that control both the guest and internal Wi-Fi networks are under the attackers control the Malware deploys Responder. Created by Laurent Gaffie of SpiderLabs, Responder was intended to be an open source penetration tester used for NetBIOS Name Service (NBT-NS) poisoning. It was leveraged in this instance in order to steal credentials over a wireless network.
While investigating the suspicious behaviour FireEye witnessed no guest credentials been stolen. It is believed by the researchers that credentials are used later by the hackers to gain access to the target's network as has been seen in other similar attacks dating back to the Fall of 2016. In the 2016 incident the victim was compromised after connecting to a public Wi-Fi hotspot, then twelve hours later the hackers logged onto the compromised machine. This delay may have been caused by the hackers needing to crack a hashed password offline.
The use of Responder has been regarded by experts as a novel way to steal guest credentials. In order to do this Responder acts like a sought out resource which causes the victim computer to send the username and hashed password to the attacker-controlled machine. While this is not the first time Fancy Bear have used Responder in this way, it is the first time the group has leveraged EternalBlue to spread laterally across targeted networks.
Fancy Bear not alone in targeting hotels and high-value guests
Since 2009 a South Korean nexus Fallout Team has been targeting hotels in order to gain access to high-value guests and the treasure trove of information they may have. Guests with ties to state departments or employees within certain industries such as military or nuclear are especially coveted. In one of the groups later campaigns spoofed software updates in order to gain access to hotel Wi-Fi networks in Asia and Europe. The specific malware used by Fallout Team, known as DarkHotel, installed various keyloggers which could be used to steal a wealth of information, trade secrets, or bargaining positions. The malware also had the ability to manipulate trusted digital certificates by factoring the underlying private keys of the cloned certificates generated using 512-bit md5 keys as well as stealing third party certificates.
The malware known as Duqu 2.0 has also been seen to be installed on the networks of European hotels during sensitive and politically volatile talks surrounding the Iranian nuclear negotiations. While in many of these instances access to targeted machines is done in a cloak and dagger manner, it has been reported that Russian and Chinese officials are more forthright in accessing guest rooms and machines. This was experienced by many at the Russian Winter Olympics held in Sochi, often leaving those who felt their privacy violated with little recourse other than going to the press.
The game remains the same
Reading the above article one can be forgiven for thinking it may be the script from a spy film. Hotels have always been one of the favoured hunting ground spies have used to steal or extort valuable information. While in the past this was done by well-trained field officers and installing enough bugs one might believe one is infested, today much of the work can be done in front of a computer screen. While it is probably safer and more cost effective for all the agencies involved the ethical and moral questions still remain. If individuals who have the right to privacy are having it constantly infringed by state actors why do individuals still bother believing in their right to privacy when it is continually trampled upon?
While there is little most of us can do to stop such intrusions, for those who know they are privy to sensitive information it is advised not to connect to public Wi-Fi points and to use your phone as a Wi-Fi hotspot rather.