The security firm FireEye has said that they have moderate confidence that a campaign targeting hotels in Europe are the work of the Russian hacking group APT28.
One way the attack works is to send a phishing email to hotel staff with an infected Word document with a name related to a hotel reservation form. If a user opens the attachment and runs the embedded macro, the hacker owns the hotel network.
At that point, it tries to move around the hotel network using several techniques – even using the NSA hacking tool EternalBlue that was at the center of the WannaCry attack recently.
What it is looking for is the computers controlling WiFi for hotel guests and staff.
While FireEye didn’t see guest credentials being stolen in this attack, they did see that in an attack from last year.
The hackers listen for guest’s or staff’s computers attempting to connect to network shares. If it sees that, the hackers respond like they were those shares and once that happens, the target’s computer sends it’s credentials in order to access those spoofed shared drives. At that point they have the user’s userid and hashed password, which they can take home and crack offline.
This is only an indication that hacker groups from around the world are using exploits learned over time to create better attack mechanisms and WiFi, especially business travelers using hotel WiFi, is a very juicy target.
From a hotel guest standpoint, here are several suggestions:
- If you can avoid it, do not use hotel WiFi. It is even more risky than using WiFi at your local Starbucks and you know what I think about doing that.
- If you must have Internet access, use your phone as WiFi hotspot if it allows it. At least that way you won’t be infected by a compromised hotel WiFi server.
- Use a portable WiFi “Puck”. All of the carriers sell them and if the use is intermittent, a prepaid plan may be less expensive.
- Use a WiFi bridge. This portable device does exactly what it says. You connect your phone or laptop to the bridge and then the bridge connects to the hotel WiFi. Since the bridge does not run a standard operating system with all of it’s potential vulnerabilities, it will be very difficult to infect the bridge with standard Windows or Linux exploits. These are available on Amazon for less than $50.
- Use a portable WiFi firewall like the Tiny Hardware Firewall. This is the most complex and expensive solution at around $100, but also the most flexible. It will support a VPN and also a TOR connection if you choose to go that route.
Bottom line – anything other than hotel WiFi.
While this particular attack is new (starting in July) and has not YET been seen in the United States, that is likely only a matter of time. Being prepared for what is sure to come seems like a good plan.
Information for this post came from KnowBe4.