A hacking group accused of linked meddling in the run up to the US presidential election is harnessing the Windows exploit which made WannaCry ransomware and Petya so powerful — and using it to perform cyberattacks against hotels in Europe.
Researchers at FireEye have attributed a campaign to remotely steal credentials from guests using Wi-Fi networks at hotels in Europe to APT28 — also known as Fancy Bear — a hacking organisation which many security firms have linked to Russia’s military intelligence.
The attack exploits EternalBlue, a security vulnerability which leverages a version of Windows’ Server Message Block (SMB) networking protocol in order to laterally spread through networks.
The exploit, one of many which was allegedly known by US intelligence services and used by the NSA for surveillance, was leaked and published by the Shadow Brokers hacking group.
With the code available for anyone to see, it was perhaps only a matter of time before others looked to leverage it — as demonstrated by the WannaCry ransomware epidemic and the subsequent Petya outbreak.
A number of cyber criminal groups are attempting to use EternalBlue to boost their own malware, but it’s the first time APT28 have been spotted attempting to do so.
“This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version,” Cristiana Brafman Kittner, senior analyst at FireEye, told ZDNet.
The attack process begins with a spear-phishing campaign, which targets multiple companies in the hospitality industry with hotels in at least seven European countries and one Middle Eastern country, which are sent emails designed to compromise networks.
Messages contain a malicious document “Hotel_Reservation_From.doc” containing a macro which if…