Hackers are now using the exploit behind WannaCry to snoop on hotel Wi-Fi.
A hacking group accused of linked meddling in the run up to the US presidential election is harnessing the Windows exploit which made WannaCry ransomware and Petya so powerful — and using it to perform cyberattacks against hotels in Europe.
Researchers at FireEye have attributed a campaign to remotely steal credentials from guests using Wi-Fi networks at hotels in Europe to APT28 — also known as Fancy Bear — a hacking organisation which many security firms have linked to Russia’s military intelligence. “This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version,” Cristiana Brafman Kittner, senior analyst at FireEye, told ZDNet.
Once GameFish is installed on the network, it uses EternalBlue to worm its way through the network and find computers responsible for controlling both guest and internal Wi-Fi networks.
Researchers note that in one incident, a victim was compromised after connecting to a hotel network, but that the attackers didn’t immediately take action — they waited 12 hours before remotely accessing the systems.
The group behind DarkHotel also compromises hotel Wi-Fi connections and combines it with spear phishing attacks to compromise specific targets.
However, FireEye says the two campaigns aren’t linked and that DarkHotel — also known as Fallout Team — looks to be the work of a “Korean peninsula-nexus cyber espionage actor” and not APT28. “While the previous targeting of victims through hotel public Wi-Fi by Fallout Team is similar to the latest APT28 campaign, these are two separate actors conducting operations for national security interests in support of their respective state sponsor,” said Kittner.
With the public release of the EternalBlue exploit, it’s unfortunately unsurprising that hacking groups are looking to harness that and other Vault7 leaks for their own gain.
Hackers are now using the exploit behind WannaCry to snoop on hotel Wi-Fi.
WannaCry Helps Push Cyber-Crime Attacks to New Heights in 2Q17.
The Q2 2017 ThreatMetrix Cybercrime Report was compiled using data on actual attacks that occurred from April to June 2017, as detected by the ThreatMetrix Digital Identity Network, which analyzes approximately 2 billion transactions per month.
In the second quarter of 2017, ThreatMetrix detected 144 million attacks, nearly doubling the attack volume detected in the second quarter of 2016.
Of note, ThreatMetrix saw a large spike in attack volume following the WannaCry ransomware attack in mid-May as attackers aimed to take advantage of consumers.
In this slide show, eWEEK takes a look at some of the highlights of the latest ThreatMetrix Cybercrime Report.
Attackers are increasingly using stolen identities to create new accounts that are then used for fraudulent transactions.
Device spoofing was the top attack vector in the second quarter, according to ThreatMetrix.
With a device spoofing attack, a hacker changes browser and other device settings to change a device’s identity.
On the dark web, cyber-criminals can buy and sell just about type of personal information.
eWEEK looks at how hackers make their money and how much stolen data is worth.
FBI arrests WannaCry hero for alleged role in Kronos banking malware.
A malware researcher hailed as a hero earlier this year has been arrested by the FBI for his alleged role in distributing the banking malware known as Kronos.
Marcus Hutchins, also known as @malwaretechblog, was detained and then arrested by the bureau at the airport as he was leaving the Def Con hacking conference in Las Vegas.
Hutchins, 22, played a pivotal and unlikely role in stopping the spread of malware known as WannaCry when he discovered a functional domain kill switch for WannaCry.
Now he is accused of playing a role in malware that stole banking and credit card credentials beginning in 2014.
CNN first reported that Hutchins was arrested and Vice quickly published his indictment online and made it available on DocumentCloud.
Hutchins’ status as a cyber folk hero had much of the security community rushing to his defense as reports emerged that he was intercepted on his way home to London.
Many questions remain about the nature of the charges and his role in the creation and distribution of the Kronos banking trojan remains unclear at this time.
His arraignment is this afternoon in Las Vegas at 3 p.m. PT.
Featured Image: Bryce Durbin
The British security researcher who stopped a global ransomware attack admitted to police that he wrote the code of a malware that targeted bank accounts, US prosecutors said during a hearing on Friday, but his attorneys said that he planned to plead not guilty.
Marcus Hutchins, the 23-year-old hailed as a hero for stopping the WannaCry ransomware attack, is accused of helping to create, spread and maintain the banking trojan Kronos between 2014 and 2015 and is facing six counts of hacking-related charges from the US Department of Justice (DoJ), according to a recently unsealed indictment.
A judge ruled on Friday that Hutchins – who had been in Las Vegas for the annual Def Con hacking conference – could be released on $30,000 bail.
The DoJ charges relate to the Kronos malware, which is a type of malicious software used to steal people’s credentials, such as internet banking passwords.
According to the indictment, Hutchins’ co-defendant advertised the malware for sale on AlphaBay, a darknet marketplace, and sold it two months later.
Hutchins, known on Twitter as @MalwareTechBlog, gained a reputation as an “accidental hero” in May for halting the global spread of the WannaCry ransomware attack.
This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.
But we actually stopped the spread just by registering the domain,” he told the Guardian at the time.
The WannaCry malware ended up affecting more than 1m computers, but experts estimate that without Hutchins’ intervention it could have infected 10-15m computers.
Lobo and the US attorney’s office did not immediately respond to requests for comment on Friday.
Point sadly proven – WannaCry ransomware (and the rest) shows why enterprises need to plan for chaos While the WannaCry ransomware infections now seem to be declining from their peak last month, the chaos following the global attack is far from over.
The malware that swept around the world infected more than 300,000 computers in 100 countries, and continues to hit companies such as Honda, shutting down production.
In the UK, NHS hospitals were particularly badly hit – possibly because of a reliance on an older version of Windows – and many are still dealing with the aftermath.
This successive attack is further proof that modern IT infrastructures are incredibly vulnerable.
Luckily, there are solutions that bypass this complexity and transform a “chaotic” enterprise network environment into a more secure and compliant network.
Complexity is the reality of today’s enterprise networks.
Proper network segmentation divides a network into different security zones which limits the exposure that an attacker would have in the event that the network is breached.
Applying automation to network segmentation allows security managers to ensure that the network segmentation is maintained throughout all changes without slowing down the business.
So, with IT professionals facing a double whammy of network complexity and increased security threats, our advice is to make sure you plan for chaos and put in place measures that bring order to an otherwise chaotic IT environment.
Reuven Harrison, CTO & Co-founder at Tufin Security Articles Reuven Harrison attack chaotic complexity enterprise environment malware network network segmentation networks order to an otherwise chaotic organisations plan for chaos ransomware reality reuven harrison security segmentation solutions wannacry wannacry ransomware
Hackers responsible for one of the most common forms of banking Trojans have learned lessons from the global WannaCry ransomware outbreak and the Petya cyberattack, and have equipped their malware with a worm propagation module to help it spread more efficiently.
The credential-stealing Trickbot has been hitting the financial sector since last year and more recently it has added a long list of UK and US banks to its targets.
The attacks are few in number but highly targeted.
Now the gang behind Trickbot are testing additional techniques with a new version of the malware — known as 1000029 — and researchers at Flashpoint who’ve been watching it say it can spread via Server Message block (SMB), crudely replicating the exploit that allowed WannaCry and Petya to quickly spread around the world.
A Windows security flaw known as EternalBlue was one of many allegedly known to US intelligence services and used to carry out surveillance before being leaked by the Shadow Brokers hacking group.
The exploit leverages a version of Windows’ Server Message Block (SMB) networking protocol to spread itself across an infected network using wormlike capabilities.
The malware can also leverage inter-process communication to propagate and execute a PowerShell script as a final payload in order to download an additional version of Trickbot — this time masked as ‘setup.exe’ into the shared drive.
Nonetheless, researchers warn that this development once again demonstrates the evolving, professional work of the cybercrime gang behind Trickbot as they examine further ways to steal financial data from banks and private wealth management firms.
Ultimately, if successfully deployed, the worm could allow Trickbot to infect other computers on the same network as the machine initially compromised by a phishing email, either for the further stealing of credentials and further account take over, or even to rope them into a botnet for further spread of malware.
While Trickbot isn’t as prolific as the likes of Zeus, Gozi, Ramnit, and Dridex, researchers warn that Trickbot will continue to be “formidable force” in future, as its authors look to add more potent capabilities to this dangerous malware.
Aftermath Of WannaCry.
A recent survey by 1E (PDF) shows that one in ten organizations were infected by WannaCry malware.
The survey also revealed that 86% of organizations do not apply patches immediately after they are released, while 23% are not able to apply patches within a month after a release.
Bob Noel, Director of Strategic Relationships and Marketing at Plixer commented below.
Bob Noel, Director of Strategic Relationships and Marketing at Plixer: “In the pursuit of digital business transformation, organizations have deployed a vast number of technology systems, applications and infrastructure.
The number and velocity of patches that are released across this vast array of systems creates a situation where it is not possible to deploy them all.
There are not enough resources available or windows of scheduled downtime to allow every patch to be applied as soon as it is released.
It can be very difficult for organizations to understand and prioritize the risk associated with every patch.
This leads to a situation where every organization is constantly vulnerable to a broad spectrum of attack surfaces.
Breaches are inevitable.