FireEye researchers have “moderate” confidence that the programme is being run by the Russian group APT28/Fancy Bears, citing the fact that it found malicious documents on these networks that had been used to install the cybergang's signature malware - Gamefish. The document is delivered through a spearphishing attack that uses a document that appears to be a basic reservation form.
FireEye also says that APT28 has incorporated several new techniques with these attacks, including using the EternalBlue SMB vulnerability leaked by ShaddowBrokers, originally from the NSA and behind the WannaCry and NotPetya ransomworm attacks launched in May and June of this year.
“Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials were observed being stolen at the compromised hotels,” FireEye said in a statement.
Once embedded in the target system the malware deployed Responder, which allows the malicious actors to listen for MBT-NS (UDP/137) broadcasts from the victim's computer as they attempt to connect to the network resources. Responder then pretends to be that resource and causes the computer to send the username and hashed password to the attacker-controlled computer. APT28 then uses these credentials to gain an escalation of privileges on the infected network.
“Travellers must be aware of the threats posed when travelling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible,” FireEye concluded.
At least seven European and one Middle Eastern hotel are reported to have been targeted say FireEye researchers though no guest credentials were observed being stolen at the compromised hotels.
In an email to SC Chris Wysopal, co-founder and CTO at Veracode commented, “After the havoc that arose from the WannaCry and NotPetya attacks, it's not surprising that notorious cyber-gangs are finding new ways to use the NSA's EternalBlue exploit to support their criminal activities. The EternalBlue exploit has been shown to be extremely effective at spreading malware infections to other unpatched Microsoft systems.
“Microsoft has indicated that a number of different versions of Windows are vulnerable to the EternalBlue exploit, even those currently receiving support. It is imperative that IT teams from all businesses across all industries ensure that the version of Windows that they are using is not vulnerable to EternalBlue and, if so, take the necessary steps to remediate it. With three attacks using this exploit having occurred over just the past few months, we're likely to see cybe-rcriminals continuing to deploy it until devices are patched and it is no longer an effective vector for them to spread malware.”
Separately the CIA hacking tool ‘CouchPotato has been released on WikiLeaks Vault 7; it is reported to remotely capture videos and images WikiLeaks. It can capture and collect videos steaming in RTSP/H.264 formats and can also capture image frames.
Days earlier WikiLeaks revealled details on “Dumbo” , reportedly a CIA cyber-weapon developed to hack webcams and corrupt video recordings; it can selectively capture images that show a significant change from the previous frame
Rick McElroy, security strategist, Carbon Black, commented in an email to SC: “Sophisticated tools are now in the hands of nation states who can further enhance their offensive security programmes. Cyber-criminals will leverage these tools to ransom any endpoints they can get their hands on. Attackers will have continued success against companies who do not have the visibility to see these advanced attacks.”