The infamous Russia-linked APT28 group is behind an ongoing campaign targeting hotels in several European countries, According to the recent report by FireEye. APT28 also named as Pawn Storm, Fancy Bear, Sofacy, Sednit, and Strontium.
The infamous Russia-linked APT28 group is behind an ongoing campaign targeting hotels in several European countries, According to the recent report by FireEye. APT28 also named as Pawn Storm, Fancy Bear, Sofacy, Sednit, and Strontium. They are mainly targeting the networks of hotels to obtain access the systems of government and business travelers via the guest Wi-Fi.Several groups in the hospitality sector, including hotels and resorts in seven European countries and at least one in the Middle Eastern country targeted by hackers.The mode of attack begins with a spear phishing email forwarded to the hotel employee, with a weaponized document named "Hotel_Reservation_Form.doc."
APT28 used the same backdoor in a recent campaign that targeted Montenegro after they officially tied NATO alliance despite the powerful resistance from Russian Government that threatened to counter.According to analysis report by FireEye, “APT28 is using novel techniques involving the EternalBlue SMB exploit and the open source tool Responder to reach parallel through networks and mainly target guest staying in hotels. Once they intrude into the network of a hospitality company, APT28 find out machines that control both guest and internal Wi-Fi networks. No guest credentials were noted stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 earned initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network."After getting access to the machines connected to corporate and guest Wi-Fi networks, APT28 used open source tool Responder to facilitates NetBIOS Name Service (NBT-NS) poisoning.The technique monitors for NBT-NS (UDP: port 137) broadcasts from victim system trying to connect to network resources. Once connected, it is possible to use a tool like Responder to locate the device and prompts the victim computer to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” continues FireEye.Cyber reconnaissance campaign against the hospitality industry typically target gathering data from top level guests from Government and guest came for business meets rather than targeting hotel industry itself, though actors may also collect information about the hotel as a means of facilitating operations.Business and government personnel who are traveling, mainly in a foreign country, must often depend on systems to conduct business or meetings that are less secure and vulnerable than their home or office systems or may be unfamiliar with the additional threats posed while abroad.Before you trust a hotel Wi-Fi service, make sure you take these precautionary steps:
- The first line of protection for your system should be a reliable antivirus software and turn on the firewall which permits or denies traffic to and from your systems.
- Enable two-factor authentication.
- Be careful to connect to the right network. There might be look-alike connection designed to trick you.
- Don't share the password and reference number provided by the hotel to use Wi-Fi service at the time of check-in.
- Disable file sharing access and avoid using file sharing sites can make your computer vulnerable.
- Disconnect from the network when you are not using Wi-Fi.
- Try to avoid making online purchases or accessing your bank account from hotel Wi-Fi services.