FireEye has moderate confidence that a campaign targeting the
hospitality sector is attributed to Russian actor APT28.
We believe this activity, which dates back to at least July 2017, was
intended to target travelers to hotels throughout Europe and the
Middle East. The actor has used several notable techniques in these
incidents such as sniffing passwords from Wi-Fi traffic, poisoning the
NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.
APT28 Uses Malicious Document to Target Hospitality Industry
FireEye has uncovered a malicious document sent in spear phishing
emails to multiple companies in the hospitality industry, including
hotels in at least seven European countries and one Middle Eastern
country in early July. Successful execution of the macro within the
malicious document results in the installation of APT28’s signature GAMEFISH malware.
The malicious document – Hotel_Reservation_Form.doc (MD5:
9b10685b774a783eabfecdb6119a8aa3), as seen in Figure 1 – contains a
macro that base64 decodes a dropper that then deploys APT28’s
signature GAMEFISH malware (MD5: 1421419d1be31f1f9ea60e8ed87277db),
which uses mvband.net and mvtband.net as command and control (C2) domains.
Figure 1: Hotel_Reservation_Form.doc
APT28 Uses Novel Techniques to Move Laterally and Potentially
APT28 is using novel techniques involving the EternalBlue exploit
and the open source tool Responder to spread
laterally through networks and likely target travelers. Once inside
the network of a hospitality company, APT28 sought out machines that
controlled both guest and internal Wi-Fi networks. No guest
credentials were observed being stolen at the compromised hotels;
however, in a separate incident that occurred in Fall 2016, APT28
gained initial access to a victim’s network via credentials likely
stolen from a hotel Wi-Fi network.
Upon gaining access to the machines connected to corporate and guest
Wi-Fi networks, APT28 deployed Responder. Responder facilitates
NetBIOS Name Service (NBT-NS) poisoning. This technique listens for
NBT-NS (UDP/137) broadcasts from victim computers attempting to
connect to network resources. Once received, Responder masquerades as
the sought-out resource and causes the victim computer to send the
username and hashed password to the attacker-controlled machine. APT28
used this technique to steal usernames and hashed passwords that
allowed escalation of privileges in the victim network.
To spread through the hospitality company’s network, APT28 used a
version of the EternalBlue SMB exploit. This was combined with the
heavy use of py2exe to compile Python scripts. This is the first time
we have seen APT28 incorporate this exploit into their intrusions.
In the 2016 incident, the victim was compromised after connecting to
a hotel Wi-Fi network. Twelve hours after the victim initially
connected to the publicly available Wi-Fi network, APT28 logged into
the machine with stolen credentials. These 12 hours could have been
used to crack a hashed password offline. After successfully accessing
the machine, the attacker deployed tools on the machine, spread
laterally through the victim’s network, and accessed the victim’s OWA
account. The login originated from a computer on the same subnet,
indicating that the attacker machine was physically close to the
victim and on the same Wi-Fi network.
We cannot confirm how the initial credentials were stolen in the
2016 incident; however, later in the intrusion, Responder was
deployed. Since this tool allows an attacker to sniff passwords from
network traffic, it could have been used on the hotel Wi-Fi network to
obtain a user’s credentials.
Long-Standing Threats to Travelers
Cyber espionage activity against the hospitality industry is
typically focused on collecting information on or from hotel guests of
interest rather than on the hotel industry itself, though actors may
also collect information on the hotel as a means of facilitating
operations. Business and government personnel who are traveling,
especially in a foreign country, often rely on systems to conduct
business other than those at their home office, and may be unfamiliar
with threats posed while abroad.
APT28 isn’t the only group targeting travelers. South Korea-nexus
Fallout Team (aka Darkhotel) has used spoofed
software updates on infected Wi-Fi networks in Asian hotels, and
Duqu 2.0 malware has been found
on the networks of European hotels used by participants in the
Iranian nuclear negotiations. Additionally, open sources have reported
for several years that in Russia and China, high-profile hotel guests
may expect their hotel
rooms to be accessed and their laptops and other electronic devices accessed.
Outlook and Implications
These incidents show a novel infection vector being used by APT28.
The group is leveraging less secure hotel Wi-Fi networks to steal
credentials and a NetBIOS Name Service poisoning utility to escalate
privileges. APT28’s already wide-ranging capabilities and tactics are
continuing to grow and refine as the group expands its infection vectors.
Travelers must be aware of the threats posed when traveling –
especially to foreign countries – and take extra precautions to secure
their systems and data. Publicly accessible Wi-Fi networks present a
significant threat and should be avoided whenever possible.
Additional technical information and details are available to FireEye
iSIGHT Intelligence customers through our portal.
This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog