Security researchers have discovered a wave of cyberattacks on hotel WiFi networks that leverage an NSA exploit – EternalBlue – for a vulnerability that was fixed by Microsoft in March.
The same exploit was used in the WannaCry ransomware attacks in May and the NotPetya wiper attacks in June. Even though the malware campaigns affected hundreds of companies and caused millions (if not billions) of dollars of losses, there are still companies that have yet to apply the update.
The recent cyberattacks on hotel WiFi networks have affected establishments in the Middle East and Europe. Once access is gained to hotel networks, the attackers spy on guests via hotel WiFi networks and steal their login credentials.
Researchers at FireEye discovered the new campaign, which they have attributed to the Russian hacking group APT28, also known as Fancy Bear. Fancy Bear is believed to receive backing from the Russian government and has performed many high profile cyberattacks in recent years, including the cyberattack on the World Anti-Doping agency (WADA). Following that attack, Fancy Bear published athletes’ therapeutic use exemption (TUE) data.
In contrast to the WannaCry and NotPetya attacks that were conducted remotely without any user involvement, the latest campaign is being conducted via a spear phishing campaign. The hacking group sends malicious emails to hotel employees and uses email attachments to download their backdoor – Gamefish. In this case, the attachment appears to be a reservation form for a hotel booking. Gamefish is installed if hotel employees run the macros in the document.
Once the backdoor is installed, the hackers search for internal and guest WiFi networks using EternalBlue and spread to other devices. Once embedded in computers that control the WiFi networks, the attackers can launch attacks on devices that attempt to connect to the hotel WiFi network.
The hackers use the open-source Responder tool to listen for MBT-NS (UDP/137) broadcasts from devices that are attempting to connect to WiFi network resources. Instead of connecting, they connect to Responder which obtains usernames and hashed passwords. That information is transferred to a computer controlled by the attackers. Once the hashed passwords have been cracked they can be used to attack hotel guests.
The names of the affected hotels have not been disclosed, although FireEye has confirmed that at least one Middle Eastern hotel and seven in Europe have been attacked. The hotels were well respected establishments likely to be frequented by high-net worth guests and business travelers.
The advice for travelers is to exercise caution when connecting to hotel WiFi networks, such as avoiding accessing online bank accounts or better still, avoiding connecting to hotel WiFi networks altogether. While the use of a VPN when connecting to hotel WiFi networks is a good idea, in this case the attack can occur before a secure VPN connection is made.
FireEye reports that this type of attack is difficult to detect and block. The attackers passively collect data and leave virtually no traces. Once login credentials have been obtained, guests are vulnerable and not just while they are at the hotel. FireEye believes the credentials are then used to attack individuals when they return home and connect to their home networks.
The best way for hotels to prevent cyberattacks on hotel WiFi networks such as this is by blocking the phishing and spear phishing attacks that lead to installation of the malware. Hotels should ensure all employees are provided with security awareness training and a spam filtering solution such as SpamTitan is deployed to stop malicious emails from being delivered to employees’ inboxes.
A WiFi Security Solution from TitanHQ
Any WiFi access point provider should ensure that controls are implemented to restrict access to illegal or inappropriate website content, block access to known malicious URLs that are used for phishing and malware distribution, and to prevent downloads of files commonly associated with malware.
TitanHQ developed WebTitan Cloud for WiFi to help businesses and service providers secure their WiFi networks, block cyberattacks, and provide a sanitized Internet service to customers. WebTitan Cloud for WiFi is a DNS-based filtering solution that can be used to carefully control the Internet content individuals can access when connected to the business WiFi network, with no impact on Internet speed.
Benefits of WebTitan Cloud for WiFi for Hotels
- Create a family-friendly, safe and secure web browsing environment.
- Accurately filter web content through 53 pre-set categories and up to 10 custom categories.
- Filter by keyword and keyword score.
- Filter content in 200 languages.
- Apply time-based filtering controls.
- Filter the Internet across multiple WiFi hotspots.
- Manage access points through a single web-based administration panel.
- Delegate management of access points.
- Low management overhead.
- Reduce the risk of phishing attacks.
- Block malware and ransomware downloads.
- Inspect encrypted websites with SSL certificates.
- Schedule and run reports on demand with real time-views of Internet activity and extensive drill down reporting.
- Industry-leading customer service and support.
- Highly competitive pricing.