Fancy Bear using leaked NSA tools

Alain Brian
Août 11, 2017

Fancy Bear aka APT28 - the notorious hacking group linked to the Russian government and allegedly responsible for the 2016 U.S. election hacks - infected networks of at least seven European and one Middle Eastern hotel in last month.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

The campaign is being attributed with "moderate confidence" to Russian cyber espionage group APT28, the researchers wrote in a blog post.

According to a report released today by USA cyber-security firm FireEye, a well-known Russian cyber-espionage group has used an NSA exploit known as ETERNALBLUE as part of a complex set of hacks it carried out starting July this year. That's one of the groups associated with the DNC attack during the 2016 United States election cycle.

The campaign targeting the hospitality sector is believed to back to at least July 2017 and include password sniffing, poisoning the NetBIOS Name Service, and using the EternalBlue exploit, which was a key component of the WannaCry ransomware. Targets who allowed the document to execute a built-in macro had their computers infected with the GAMEFISH malware, a long-standing APT28 tool.

Targets are sent a malicious Microsoft Word document that installs malware only seen in Fancy Bear attacks and uses EternalBlue to install across entire networks.

The hackers' new campaign, which involves sending out phishing emails, targets hotels' systems that control guest and internal Wi-Fi networks.

In the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. It then spreads across networks via EternalBlue and spoofs pages the user brings up to collect usernames and passwords.

This was the first time APT28 used ETERNALBLUE, but this isn't the first time that APT28 targeted hotels.

They note that cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, which means that business and government who often rely on hotel systems to conduct business should be familiar with threats posed while overseas.

APT28 is not the only cyber-espionage group that targeted WiFi networks.

There are also other hacking groups targeting travellers apart from APT28, including "South Korea-nexus Fallout Team" (also known as "Darkhotel") and "Duqu 2.0".

This campaign, they said, shows APT28's already wide-ranging capabilities and tactics are continuing to grow and refine as the group expands its infection vectors.

Travelers must be aware of the threats posed when traveling - especially to foreign countries - and take extra precautions to secure their systems and data. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials.

A hacking group accused of linked meddling in the run up to the U.S. presidential election is harnessing the Windows exploit which made WannaCry ransomware and Petya so powerful - and using it to perform cyberattacks against hotels in Europe.

Wysopal said Microsoft has indicated a number of different versions of Windows are vulnerable to the EternalBlue exploit, even those now receiving support.

D'autres rapports CampDesrEcrues

Discuter de cet article