Cyberspies Leveraging EternalBlue

In a report compiled by researchers at FireEye, it appears it is not only cyber criminals using the leaked NSA tool commonly referred to as EternalBlue. Many will recognise the name as it is the vulnerability (CVE-2017-0143) that assisted in making the WannaCry and NotPetya attacks earlier this year international headlines. Since it was leaked into the wild by the hacking group the Shadow Brokers, EternalBlue has been used in various forms of malware campaigns whether ransomware or in Trojans and miningbots. EternalBlue leverages a vulnerability in Microsoft’s SMB version 1 networking protocol in order to spread laterally across networks in order to deliver a malicious payload. It was only to be a matter of time till researchers discovered it being used for cyber espionage purposes.

In this instance, it is been used to steal credentials from high-value guests staying in hotels across Europe. The security researchers at FireEye believe with moderate confidence the hackers belong to the hacking group Fancy Bear who has been operational since 2007.

Fancy Bear or ATP28

The hacking group is widely believed to be Russian with links to the Russian intelligence service GRU. They have widely been attributed to the US Democratic National Committee hack and the hacking of Hillary Clinton’s campaign chairman John Podesta’s email account which has been seen internationally as an attempt to unduly influence the last American Presidential Election. While certainly an infamous feather in the group's cap they are also widely believed to be behind cyber-attacks against NATO and the German Bundestag. The group appears to also go by ATP28, Sofacy, Sednit, Tsar Team, Pawn Storm, or Strontium.

fancy bear hackers

One of the key reasons to believe Fancy Bear is behind this campaign is the use of the malware GameFish. GameFish has been used to great effect previously by the group in prior hacks and is almost like a calling card for the group.

The latest campaign

The attack begins with a spear phishing email campaign sent to employees within the hotel and leisure industry. The email contains a malicious document named "Hotel_Reservation_Form.doc," which uses macros to decode and deploy GameFish. Once installed on the victim's system GameFish uses EternalBlue to spread laterally across the network in order to find the systems which control the guest and internal Wi-Fi networks.

Once the systems that control both the guest and internal Wi-Fi networks are under the attackers control the Malware deploys Responder. Created by Laurent Gaffie of SpiderLabs, Responder was intended to be an open source penetration tester used for NetBIOS Name Service (NBT-NS) poisoning. It was leveraged in this instance in order to steal credentials over a wireless network.

While investigating the suspicious behaviour FireEye witnessed no guest credentials been stolen. It is believed by the researchers that credentials are used later by the hackers to gain access to the target's network as has been seen in other similar attacks dating back to the Fall of 2016. In the 2016 incident the victim was compromised after connecting to a public Wi-Fi hotspot, then twelve hours later the hackers logged onto the compromised machine. This delay may have been caused by the hackers needing to crack a hashed password offline.

cyberspies leveraging eternalblue

The use of Responder has been regarded by experts as a novel way to steal guest credentials. In order to do this Responder acts like a sought out resource which causes the victim computer to send the username and hashed password to the attacker-controlled machine. While this is not the first time Fancy Bear have used Responder in this way, it is the first time the group has leveraged EternalBlue to spread laterally across targeted networks.

Fancy Bear not alone in targeting hotels and high-value guests

Since 2009 a South Korean nexus Fallout Team has been targeting hotels in order to gain access to high-value guests and the treasure trove of information they may have. Guests with ties to state departments or employees within certain industries such as military or nuclear are especially coveted. In one of the groups later campaigns spoofed software updates in order to gain access to hotel Wi-Fi networks in Asia and Europe. The specific malware used by Fallout Team, known as DarkHotel, installed various keyloggers which could be used to steal a wealth of information, trade secrets, or bargaining positions. The malware also had the ability to manipulate trusted digital certificates by factoring the underlying private keys of the cloned certificates generated using 512-bit md5 keys as well as stealing third party certificates.

The malware known as Duqu 2.0 has also been seen to be installed on the networks of European hotels during sensitive and politically volatile talks surrounding the Iranian nuclear negotiations. While in many of these instances access to targeted machines is done in a cloak and dagger manner, it has been reported that Russian and Chinese officials are more forthright in accessing guest rooms and machines. This was experienced by many at the Russian Winter Olympics held in Sochi, often leaving those who felt their privacy violated with little recourse other than going to the press.

The game remains the same

Reading the above article one can be forgiven for thinking it may be the script from a spy film. Hotels have always been one of the favoured hunting ground spies have used to steal or extort valuable information. While in the past this was done by well-trained field officers and installing enough bugs one might believe one is infested, today much of the work can be done in front of a computer screen. While it is probably safer and more cost effective for all the agencies involved the ethical and moral questions still remain. If individuals who have the right to privacy are having it constantly infringed by state actors why do individuals still bother believing in their right to privacy when it is continually trampled upon?

While there is little most of us can do to stop such intrusions, for those who know they are privy to sensitive information it is advised not to connect to public Wi-Fi points and to use your phone as a Wi-Fi hotspot rather.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal