Hackers are now using the exploit behind WannaCry to snoop on hotel Wi-Fi

Hackers are now using the exploit behind WannaCry to snoop on hotel Wi-Fi. A hacking group accused of linked meddling in the run up to the US presidential election is harnessing the Windows exploit which made WannaCry ransomware and Petya so powerful -- and using it to perform cyberattacks against hotels in Europe. Researchers at FireEye have attributed a campaign to remotely steal credentials from guests using Wi-Fi networks at hotels in Europe to APT28 -- also known as Fancy Bear -- a hacking organisation which many security firms have linked to Russia's military intelligence. "This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version," Cristiana Brafman Kittner, senior analyst at FireEye, told ZDNet. Once GameFish is installed on the network, it uses EternalBlue to worm its way through the network and find computers responsible for controlling both guest and internal Wi-Fi networks. Researchers note that in one incident, a victim was compromised after connecting to a hotel network, but that the attackers didn't immediately take action -- they waited 12 hours before remotely accessing the systems. The group behind DarkHotel also compromises hotel Wi-Fi connections and combines it with spear phishing attacks to compromise specific targets. However, FireEye says the two campaigns aren't linked and that DarkHotel -- also known as Fallout Team -- looks to be the work of a "Korean peninsula-nexus cyber espionage actor" and not APT28. "While the previous targeting of victims through hotel public Wi-Fi by Fallout Team is similar to the latest APT28 campaign, these are two separate actors conducting operations for national security interests in support of their respective state sponsor," said Kittner. With the public release of the EternalBlue exploit, it's unfortunately unsurprising that hacking groups are looking to harness that and other Vault7 leaks for their own gain.
istock-hands-of-a-hacker.jpg
The APT28 hacking group is behind a string of attacks – but this is the first time it has used EternalBlue.

A hacking group accused of linked meddling in the run up to the US presidential election is harnessing the Windows exploit which made WannaCry ransomware and Petya so powerful — and using it to perform cyberattacks against hotels in Europe.

Researchers at FireEye have attributed a campaign to remotely steal credentials from guests using Wi-Fi networks at hotels in Europe to APT28 — also known as Fancy Bear — a hacking organisation which many security firms have linked to Russia’s military intelligence.

The attack exploits EternalBlue, a security vulnerability which leverages a version of Windows’ Server Message Block (SMB) networking protocol in order to laterally spread through networks.

The exploit, one of many which was allegedly known by US intelligence services and used by the NSA for surveillance, was leaked and published by the Shadow Brokers hacking group.

With the code available for anyone to see, it was perhaps only a matter of time before others looked to leverage it — as demonstrated by the WannaCry ransomware epidemic and the subsequent Petya outbreak.

A number of cyber criminal groups are attempting to use EternalBlue to boost their own malware, but it’s the first time APT28 have been spotted attempting to do so.

“This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version,” Cristiana Brafman Kittner, senior analyst at FireEye, told ZDNet.

The attack process begins with a spear-phishing campaign, which targets multiple companies in the hospitality industry with hotels in at least seven European countries and one Middle Eastern country, which are sent emails designed to compromise networks.

Messages contain a malicious document “Hotel_Reservation_From.doc” containing a macro which if…

Written By
More from Industry News

Google Invites Open Source Devs to Give E2EMail Encryption a Go

Google last week released its E2EMail encryption code to open source as...
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *