Although financial criminals have much to gain from successful compromises in the hospitality industry - including credit card details, passport scans and loyalty card information - the vertical has also become a growing target for nation-state adversary groups too. The latter being keen to track persons of interest while they are travelling, or to enable access to these potential victims when they use electronic devices outside the confines of their home or fully protected networks.
Mike Sentonas, VP Technology Strategy CrowdStrike, told SC Media UK: “We called it out as one of the sectors most vulnerable to attack, and while it's a broad industry, it is a very attractive target for many reasons. There are pockets of best practice in the hospitality sector, as well as areas you look at and shake your head - just like in any sector. There are a variety of challenges too, from the challenges of running global chains, transient workforces, and a very high level of outsourcing. Wifi is often completely outsourced, for example, it's a very complex environment to secure. Then there's the supply chain too…”
In one example documented in CrowdStrike's 2018 Gobal Threat Report, malware activity involving the binary: FILE: C:\Windows\SysWOW64\WinSrv.exe HASH: 69d77ffde43f3591f16cfe509f87dda11be13809e75ac30e09f1315c5a5d955 was spotted on two hospitality networks simultaneously. The malware turned out to be dubbed PoSeidon, designed to scrape the RAM of PoS terminals for credit card track data. The malware was installed following FTP connections to a malicious external server, initiated under a legitimate remote connectivity application using the same user account, which was associated with a third-party vendor.
“CrowdStrike determined that the breach occurred through the compromised vendor's access with the malicious actor installing the malware to target parking pay stations operated by the third party. This case highlights the risk of outside vendor access into enterprise networks”, noted the Crowdstrike researchers.
“We'll see a lot of evolution in the hospitality industry over the coming months, as brands improve their security stance. We've seen pretty much every global hotel chain impacted in some way be recent events, so it's very much front of mind”, continued Sentonas.
The 2018 Global Threat Report headlines two sector-agnostic stats for 2017 - the average attacker dwell time recorded was 86 days (that's time between initial compromise and discovery), while the average breakout time was an average of 1 hour and 58 minutes. Breakout time being the average time for an intruder to begin moving laterally to other systems in the network.
Sentonas summaries: “Often the countermeasures of today just aren't delivering on some modern attack vectors - for example, 39 per cent of attacks in 2017 involved no malware at all, and an equal number that did were not detected by endpoint security AV systems. As an industry we've got to get better at requirements such as real-time visibility and risk management. Overall, metrics are increasingly the key to faster detection rates and faster responses to threats of all kinds, and I believe the industry is beginning to move that way. There's definitely more emphasis on more effective and less complex systems and that'll influence the coming years.”