Hackers Use NSA Tools in Hotels Across Europe
A group of Russian hackers best known for breaking into the Democratic National Committee have been using a leaked NSA espionage tool to target hotels across Europe in an attempt to spy on guests, according to new research published by cybersecurity firm, FireEye.
The hacker group known as APT28, or Fancy Bear, has targeted victims through connections to hacked hotel Wi-Fi networks.
APT28 infiltrated hotel networks via phishing emails that contained infected attachments and malicious Microsoft Word macros. Once they were in a hotel Wi-Fi network, they would then launch NSA hacking tool EternalBlue, which was leaked in 2017. This tool allowed them to spread control throughout the network, eventually reaching servers responsible for the corporate and guest Wi-Fi networks.
“It’s definitely a new technique” for the Fancy Bear hacker group, says Ben Read, who leads FireEye’s espionage research team. “It’s a much more passive way to collect on people. You can just sit there and intercept stuff from the Wi-Fi traffic.”
Hotel Wi-Fi has become a major vehicle for advanced hackers to target people of interest who happen to be connected. In 2014, researchers at security firm Kaspersky Lab said a group it dubbed Dark Hotel had been infecting hotel networks for at least seven years.
In a separate report a year later, Kaspersky Lab researchers uncovered evidence suggesting a separate hacking group with ties to the creators of the Stuxnet worm infected hotel conference rooms in an attempt to monitor high-level diplomatic negotiations the US and five other nations held with Iran over its nuclear program.
What can you do to protect yourself?
For remote users, it’s important to be aware of the threats like having information and credentials passively collected when connecting to public, untrusted networks. Experts advise using your own wireless hotspot and avoid connecting to hotel Wi-Fi networks when possible.
Keeping all remote devices fully patched is also critical. APT28 is using the same exploit as WannaCry and NotPetya. Microsoft patched these weaknesses in March 2017 and tools like Syxsense, Windows Update or other patching solutions should be already protected by deploying MS17-010.
However, many organizations have older non-Microsoft supported operating systems still deployed – Windows Server 2003, Windows XP, Windows XP Embedded and Windows 8. Microsoft also took the unusual of releasing a patch for these unsupported operating systems.
We strongly recommend identifying all vulnerable operating systems and deploying this patch immediately.
Many companies struggle to keep remote users completely up-to-date since they rely on manual patching or simply do not prioritize the process. However, patching is a necessity – even more so for machines that are not always on the network.
Syxsense allows you to keep all devices, including remote users, fully patched and protected. After months of global ransomware attacks and major security threats, it has never been more important to protect your IT environment.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.