APT28 malware targets hotel guests

By Dylan Bushell-Embling
Monday, 14 August, 2017

Australian business travellers to Europe and the Middle East are potentially vulnerable to a new malware campaign targeting visitors to hotels throughout the regions.

FireEye research has uncovered evidence that the malware campaign is tied to Russian group APT28, which is believed to be a state-sponsored hacker group collecting intelligence that would likely benefit the Russian government.

The campaign dates back to at least July and has involved techniques including sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service and spreading laterally via the EternalBlue NSA exploit leaked by hacking team the Shadow Brokers in April.

The attack was propagated through a malicious document sent in spear phishing emails to hotels in at least seven European countries and one Middle Eastern country.

Executing a macro within the malicious document resulted in the installation of APT28’s GAMEFISH malware, and used techniques including EternalBlue and the open source tool Responder to spread laterally throughout networks and target travellers.

This process involved seeking out machines controlling both guest and internal Wi-Fi networks. While FireEye said it had not observed any guest credentials being stolen, APT28 had managed in a separate incident last year to gain initial access to a victim’s network via credentials thought to be stolen from a hotel Wi-Fi network.

During this incident, 12 hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials and deployed tools allowing escalation of privileges to the victim machine.

FireEye warned that APT28 is not the only group targeting travellers, with the hospitality industry a popular target for cybercriminals. Cyber-espionage activity against the sector is typically focused on collecting information on or from hotel guests.

“Travellers must be aware of the threats posed when travelling — especially to foreign countries — and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible,” FireEye Threat Research’s Lindsay Smith and Ben Read commented in a blog post.

Follow us on Twitter and Facebook