Bad Rabbit: New Ransomware Attack Rapidly Spreading Across Europe

A new widespread ransomware attack is spreading like wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Turkey and Germany, in the past few hours.

Dubbed “Bad Rabbit,” is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.
According to an initial analysis provided by the Kaspersky, the ransomware was distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims’ in to install malware unwittingly.

“No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites.” Kaspersky Lab said.

However, security researchers at ESET have detected Bad Rabbit malware as ‘Win32/Diskcoder.D‘ — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, exPetr and GoldenEye.
Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys.

ESET believes the new wave of ransomware attack is not using EternalBlue exploit — the leaked SMB vulnerability which was used by WannaCry and Petya ransomware to spread through networks.
Instead it first scans internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.The ransom note, shown above, asks victims to log into a Tor onion website to make the payment, which displays a countdown of 40 hours before the price of decryption goes up.
The affected organisations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine.
Researchers are still analyzing Bad Rabbit ransomware to check if there is a way to decrypt computers without paying ransomware and how to stop it from spreading further.

How to Protect Yourself from Ransomware Attacks?

Kaspersky suggest to disable WMI service to prevent the malware from spreading over your network.
Most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.
So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.
Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.
To always have a tight grip on your valuable data, keep a good backup routine in place that makes their copies to an external storage device that isn’t always connected to your PC.
Make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date.

New Rapidly-Growing IoT Botnet Threatens to Take Down the Internet

Just a year after Mirai—biggest IoT-based malware that caused vast Internet outages by launching massive DDoS attacks—completed its first anniversary, security researchers are now warning of a brand new rapidly growing IoT botnet.
Dubbed ‘IoT_reaper,’ first spotted in September by researchers at firm Qihoo 360, the new malware no longer depends on cracking weak passwords; instead, it exploits vulnerabilities in various IoT devices and enslaves them into a botnet network.
IoT_reaper malware currently includes exploits for nine previously disclosed vulnerabilities in IoT devices from following manufactures:

  • Dlink (routers)
  • Netgear (routers)
  • Linksys (routers)
  • Goahead (cameras)
  • JAWS (cameras)
  • AVTECH (cameras)
  • Vacron (NVR)

Researchers believe IoT_reaper malware has already infected nearly two million devices and growing continuously at an extraordinary rate of 10,000 new devices per day.This is extremely worrying because it took only 100,000 infected devices for Mirai to took down DNS provider Dyn last year using a massive DDoS attack.

Besides this, researchers noted that the malware also includes more than 100 DNS open resolvers, enabling it to launch DNS amplification attacks.

Currently, this botnet is still in its early stages of expansion. But the author is actively modifying the code, which deserves our vigilance.” Qihoo 360 researchers say.

Meanwhile, researchers at CheckPoint are also warning of probably same IoT botnet, named “IoTroop,” that has already infected hundreds of thousands of organisations.

“It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organisations make proper preparations and defence mechanisms are put in place before attack strikes.” researchers said.

According to CheckPoint, IoTroop malware also exploits vulnerabilities in Wireless IP Camera devices from GoAhead, D-Link, TP-Link, AVTECH, Linksys, Synology and others.At this time it is not known who created this and why, but the DDoS threat landscape is skyrocketing and could reach tens of terabits-per-second in size.

“Our research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come.” CheckPoint researchers warned.

“You need to be more vigilant about the security of your smart devices. In our previous article, we have provided some essential, somewhat practical, solutions to protect your IoT devices.

WebRTC Vulnerability leaks Real IP Addresses of VPN Users

An extremely critical vulnerability has recently been discovered in WebRTC (Web Real-Time Communication), an open-source standard that enables the browsers to make voice or video calls without needing any plug-ins.
AFFECTED PRODUCTS
Late last month, security researchers revealed a massive security flaw that enables website owner to easily see the real IP addresses of users through WebRTC, even if they are using a VPN or even PureVPN to mask their real IP addresses.
The security glitch affects WebRTC-supporting browsers such as Google Chrome and Mozilla Firefox, and appears to be limited to Windows operating system only, although users of Linux and Mac OS X are not affected by this vulnerability.
HOW DOES THE WebRTC FLAW WORKS
WebRTC allows requests to be made to STUN (Session Traversal Utilities for NAT) servers which return the “hidden” home IP-address as well as local network addresses for the system that is being used by the user.
The results of the requests can be accessed using JavaScript, but because they are made outside the normal XML/HTTP request procedure, they are not visible in the developer console. This means that the only requirement for this to work is WebRTC support in the browser and JavaScript.
CHECK YOURSELF NOW
A demonstration published by developer Daniel Roesler on GitHub allows people to check if they are affected by the security glitch.
Also, you can go through the following steps in order to check if you’re affected:
  • If your browser is secure, you should see something like this:
  • If your browser is affected by this issue, you’ll see information about your true IP address in the WebRTC section.
HOW TO PROTECT YOURSELF
For Chrome users :
Google Chrome and other Chromium-based browser users can install the WebRTC Block extension or ScriptSafe, which both reportedly block the vulnerability.
For Firefox Users :
In case of Firefox, the only extensions that block these look ups are JavaScript blocking extensions such as NoScript. To fix, try the following steps:
  • Type about:config in the browser’s address bar and hit enter.
  • Confirm you will be careful if the prompt appears.
  • Search for media.peerconnection.enabled.
  • Double-click the preference to set it to false.
  • This turns of WebRTC in Firefox.

Hackers Use New Flash Zero-Day Exploit to Distribute FinFisher Spyware

FinSpy—the infamous surveillance malware is back and infecting high-profile targets using a new Adobe Flash zero-day exploit delivered through Microsoft Office documents.
Security researchers from Kaspersky Labs have discovered a new zero-day remote code execution vulnerability in Adobe Flash, which was being actively exploited in the wild by a group of advanced persistent threat actors, known as BlackOasis.
The critical type confusion vulnerability, tracked as CVE-2017-11292, could lead to code execution and affects Flash Player 21.0.0.226 for major operating systems including Windows, Macintosh, Linux and Chrome OS.
Researchers say BlackOasis is the same group of attackers which were also responsible for exploiting another zero-day vulnerability (CVE-2017-8759) discovered by FireEye researchers in September 2017.
Also, the final FinSpy payload in the current attacks exploiting Flash zero-day (CVE-2017-11292) shares the same command and control (C&C) server as the payload used with CVE-2017-8759 (which is Windows .NET Framework remote code execution).So far BlackOasis has targeted victims in various countries including Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.
The newly reported Flash zero-day exploit is at least the 5th zero-day that BlackOasis group exploited since June 2015.
The zero-day exploit is delivered through Microsoft Office documents, particularly Word, attached to a spam email, and embedded within the Word file includes an ActiveX object which contains the Flash exploit.
The exploit deploys the FinSpy commercial malware as the attack’s final payload.

“The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits,” the Kaspersky Labs researchers say.

FinSpy is a highly secret surveillance tool that has previously been associated with Gamma Group, a British company that legally sells surveillance and espionage software to government agencies across the world.
FinSpy, also known as FinFisher, has extensive spying capabilities on an infected system, including secretly conducting live surveillance by turning ON its webcams and microphones, recording everything the victim types on the keyboard, intercepting Skype calls, and exfiltration of files.To get into a target’s system, FinSpy usually makes use of various attack vectors, including spear phishing, manual installation with physical access to the affected device, zero-day exploits, and watering hole attacks.

“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” said Anton Ivanov, lead malware analyst at Kaspersky Lab.

“Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.”

Kaspersky Lab reported the vulnerability to Adobe, and the company has addressed the vulnerability with the release of Adobe Flash Player versions 27.0.0.159 and 27.0.0.130.
Just last month, ESET researchers discovered legitimate downloads of several popular apps like WhatsApp, Skype, VLC Player and WinRAR (reportedly compromised at the ISP level) that were also distributing FinSpy.
So, businesses and government organizations around the world are strongly recommended to install the update from Adobe as soon as possible.
Microsoft will also likely be releasing a security update to patch the Flash Player components used by its products.

Fbi Arrests A Cyberstalker After Shady “No-Logs” VPN Provider Shared User Logs

FBI recently arrested a psycho cyber stalker with the help of a popular VPN service and this case apparently exposed the company’s lies about the “no logs” policy.
Taking down cyber stalkers and criminals is definitely a good thing, and the FBI has truly done a great job, but the VPN company whose first line of the privacy policy is—“We Do Not monitor user activity nor do we keep any logs”—has literally betrayed its customer’s trust.

Is your VPN also lying to you? Well, it’s the right time to think about this twice.

It’s no secret that most VPN services—which claim to shield your Internet traffic from prying eyes, assuring you to surf the web anonymously—are not as secure as they claim.
In this post-Snowden era, a majority of VPN providers promise that their service is anonymous, with no log policy, but honestly, there is no way you can verify this.

PureVPN Helped the FBI with Logs

A 24-year-old Massachusetts man, Ryan Lin, has been arrested in a Cyberstalking case after one of the largest VPN providers, PureVPN, helped the FBI with information that linked Lin to his alleged cyber crimes.In an FBI affidavit published last week by the US Department of Justice (DoJ), Lin is accused of stalking and harassing his housemates and former-roommates online while evading local police by using various services like Tor, VPNs and Textfree.
Lin tormented his former-roommate, Jennifer Smith, for one and a half year after stealing credentials for some of her online profiles from her unlocked MacBook, and other personal files, including photographs, from her iCloud and Google Drive accounts.
According to the affidavit, Lin released Smith’s personal details online (known as ‘doxing’), posted intimate photographs without her face suggesting they were of Smith, and emailed her private information to her contacts, including her family, relatives and colleagues.
Additionally, Lin allegedly posted fake profiles of her to websites “dedicated to prostitution, sexual fetishes, and other sexual encounters,” shared information about her medical background that she never shared with anyone, and sent “images that likely constitute child pornography” to her family and friends.

Suspect Also Made Bomb, Death and Rape Threats

What’s more? Lin often spoofed Smith’s identity to send bomb, death and rape threats to schools and lone individuals, which even tricked one of her friends into calling the police to her house.
To conduct all these illegal actions and hide his tracks, Lin used various privacy services like ProtonMail, VPN clients, and Tor, anonymised international text messaging services and offshore private e-mail providers.
However, the suspect made a mistake by using a work computer for some of his illegal campaigns. The feds were able to recover some forensic artefacts from his work computer, even though he had been terminated and the OS had been reinstalled on the computer.

In the unallocated space of the system’s hard drive, the FBI found artefacts referencing:

  • Bomb threats against local schools.
  • Username for TextNow, the anonymous texting service being Lin’s most-visited Website.
  • Lin’s name on Protonmail.
  • Lin had visited Rover.com (pet sitting site) and FetLife.com which were used in the cyberstalking campaigns.
  • Lin repeatedly accessed his personal Gmail account.
  • He used PureVPN in the cyberstalking campaign.

How FBI Investigated the Cyberstalking Case

PureVPN Helped the FBI with LogsThe FBI then managed to obtain logs from PureVPN, which linked himself to the illegal campaigns against Smith and his other former roommates.

“Further, records from PureVPN show that the same email accounts—Lin’s Gmail account and the teleportfx Gmail account—were accessed from the same WANSecurity IP address,” the complaint reads.

And then the complaint goes on to say what would be quite worrying for those who believe VPNs are their best way to protect their activities online:

“Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time.”

Being one of the largest and well-known VPN providers, Hong Kong-based PureVPN is used by hundreds of thousands of users across the world, which eventually handed over details which a VPN is supposed to protect against.
Lin was arrested by the authorities on October 5, and if found guilty, he faces up to 5 years in prison and up to 3 years of “supervised release,” according to the DoJ.

fake Digital Certificates Found in the Wild While Observing Facebook SSL Connections

Visiting a website certified with an SSL certificate doesn’t mean that the website is not bogus. Secure Sockets Layer (SSL) protect the web users in two ways, it uses public key encryption to encrypt sensitive information between a user’s computer and a website, such as usernames, passwords, or credit card numbers and also verify the identity of websites.
Today hackers and cyber criminals are using every tantrum to steal users’ credentials and other sensitive data by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and financial websites as well.
DETECTING FAKE DIGITAL CERTIFICATES WIDELY
A Group of researchers, Lin-Shung Huang , Alex Ricey , Erling Ellingseny and Collin Jackson, from the Carnegie Mellon University in collaboration with Facebook have analyzed [PDF] more than 3 million SSL connections and found strong evidence that at least 6;845 (0:2%) of them were in fact tampered with forged certificates i.e. self-signed digital certificates that aren’t authorized by the legitimate website owners, but will be accepted as valid by most browsers.

They utilized the widely-supported Flash Player plug-in to enable socket functionality and implemented a partial SSL handshake on our own to capture forged certificates and deployed this detection mechanism on an Alexa top 10 website, Facebook, which terminates connections through a diverse set of network operators across the world.
Generally Modern web browsers display a warning message when encountering errors during SSL certificate validation, but warning page still allows users to proceed over a potentially insecure connection.

Fake SSL connections can argue that certificate warnings are mostly caused by server mis-configurations. According to usability survey, many users actually ignore SSL certificate warnings and trusting forged certificates could make them vulnerable to the simplest SSL interception attacks.
This means that a potential hacker can successfully impersonate any website, even for secure connections i.e. HTTPS, to perform an SSL ma-in-the-middle attack in order to intercept encrypted connections.
FAKE DIGITAL CERTIFICATES SIGNED WITH STOLEN KEYS FROM ANTIVIRUS
Researchers observed most of the forged SSL certificate are using same name as original Digital Certificate issuer organizations, such as VeriSign, Comodo.
Some Antivirus software such as Bitdefender, ESET, BullGuard, Kaspersky Lab, Nordnet, DefenderPro etc., has ability to intercept/Scan SSL connection on Clients’ system in order to defend their users from Fake SSL connections. These Antivirus products generate their own certificates that would be less alarming than other Self-signed digital certificates.
One should be wary of professional attackers that might be capable of stealing the private key of the signing certificates from antivirus vendors, which may essentially allow them to spy on the antivirus users (since the antivirus root certificate would be trusted by the client),” the researchers explained. “Hypothetically, governments could also compel antivirus vendors to hand over their signing keys.
Similar capabilities are observed in various Firewall, Parental Control Software and adware software those could be compromised by hackers in order to generate valid, but fake digital certificates.
DIGITAL CERTIFICATES GENERATED BY MALWARE
Researchers also noticed another interesting self-signed digital certificate, named as ‘IopFailZeroAccessCreate’, which was generated by some malware on client-end systems and using same name as trusted Certificate issuer “VeriSign Class 4 Public Primary CA.

Detected statistics shows that the clients infected with same malware serving ‘IopFailZeroAccessCreate’ bogus digital certificates were widespread across 45 different countries, including Mexico, Argentina and the United States.
Malware researchers at Facebook, in collaboration with the Microsoft Security Essentials team, were able to confirm these suspicions and identify the specific malware family responsible for this attack.
These variants provide clear evidence that attackers in the wild are generating certificates with forged issuer attributes, and even increased their sophistication during the time frame of our study,” they said.
DETECTION AND ATTACK MIGRATION TECHNIQUES
Attackers may also restrict Flash-based sockets by blocking Flash socket policy traffic on port 843 or can avoid intercepting SSL connections made by the Flash Player in order to bypass detection techniques used by the researchers. To counter this, websites could possibly serve socket policy files over firewall-friendly ports (80 or 443), by multiplexing web traffic and socket policy requests on their servers.
In Addition, researchers have discussed migration techniques in the paper such as HTTP Strict Transport Security (HSTS), Public Key Pinning Extension for HTTP (HPKP), TLS Origin-Bound Certificates (TLS-OBC), Certificate Validation with Notaries and DNS-based Authentication of Named Entities (DANE), those could be used by servers to enforce HTTPS and validate digital certificates.
HOW TO REMOVE MALWARE
If you are also infected by any similar malware, please follow below given steps to remove it:
  • Check your hosts file (C:\Windows\System32\Drivers\etc\hosts) for malicious entries
  • Check your DNS (Domain Name Server) settings on system and DSL Modem
  • Verify your proxy settings on browser
  • Cross-check your installed Browser addons.
  • Install reputed Antivirus and Firewall Product and Scan for malicious files

Chinese Man Jailed For Selling VPNs that Bypass Great Firewall

In an effort to continue its crackdown on VPNs, Chinese authorities have arrested a 26-year-old man for selling VPN software on the Internet.
China’s Supreme Court has sentenced Deng Jiewei from Dongguan in Guangdong province, close to Hong Kong, to nine months in prison for selling virtual private network (VPN) software through his own small independent website.VPN encrypts users’ Internet traffic and routes it through a distant connection so that web surfers can hide their identities and location data while accessing websites that are usually restricted or censored by any country.
Chinese citizens usually make use of VPNs to bypass the Great Firewall of China, also known as the Golden Shield project, which employs a variety of tricks to censor the Internet in the country.
The project already blocked access to some 171 out of the world’s 1,000 top websites, including Google, Facebook, Twitter, Tumblr, Dropbox, and The Pirate Bay in the country.
But to tighten grip over the Internet and online users, the Chinese government announced a 14-month-long crackdown on VPNs in the country at the beginning of this year, requiring VPN service providers to obtain prior government approval.
The move made most VPN vendors in the country of 730 million Internet users illegal, and has now resulted in the arrest of Deng, who was convicted of “providing software and tools for invading and illegally controlling the computer information system.”

According to the court documents posted on the China’s Supreme People’s Court website, Deng has been selling two VPN services on his website since October 2015, and was first detained in August last year.
Deng along with his partner Jiang Moufeng made nearly 14,000 Chinese yuan (just US$2,138) selling the VPN software, which allowed users to “visit foreign websites that could not be accessed by a mainland IP address.”
Deng has been found guilty of intrusions and “illegal control of computer information system procedures,” and has been sentenced to nine months imprisonment and fined 5,000 Chinese yuan.
Deng was actually sentenced in March this year, but the online court documents were circulated on a Chinese blog tracking social media trends in China, called What’s on Weibo, only on Sunday.
We reported in July that Apple also removed some of the popular VPN apps, including ExpressVPN and Star VPN, from its official Chinese app store in order to comply with the government crackdown that will remain in place until March 31, 2018.

 

Critical Flaw in Apache Struts2 Lets Hackers Take Over Web Servers

Security researchers have discovered a critical remote code execution vulnerability in the popular Apache Struts web application framework, allowing a remote attacker to run malicious code on the affected servers.
Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for developing web applications in the Java programming language, which supports REST, AJAX, and JSON.
The vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly.All versions of Apache Struts since 2008 (from Struts 2.5 to Struts 2.5.12) are affected, leaving all web applications using the framework’s REST plugin vulnerable to remote attackers.

According to one of the security researchers at LGTM, who discovered this flaw, the Struts framework is being used by “an incredibly large number and variety of organisations,” including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.
“On top of that, [the vulnerability] is incredibly easy for an attacker to exploit this weakness: all you need is a web browser,” Man Yue Mo, an LGTM security researcher said.
All an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server.
Successful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network.Mo said this flaw is an unsafe deserialization in Java similar to a vulnerability in Apache Commons Collections, discovered by Chris Frohoff and Gabriel Lawrence in 2015 that also allowed arbitrary code execution.
Many Java applications have since been affected by multiple similar vulnerabilities in recent years.
Since this vulnerability has been patched in Struts version 2.5.13, administrators are strongly advised to upgrade their Apache Struts installation as soon as possible.
More technical details about the vulnerability and proof-of-concept have not been published by the researchers yet, giving admins enough time to upgrade their systems.

Game of Thrones and HBO — Twitter, Facebook Accounts Hacked

The Game of Thrones hacking saga continues, but this time it’s the HBO’s and GOT’s official Twitter and Facebook accounts got compromised, rather than upcoming episodes.
As if the leak of episodes by hackers and the accidental airing of an upcoming episode of Game of Thrones by HBO itself were not enough, a notorious group of hackers took over the official Twitter and Facebook accounts for HBO as well as Game of Thrones Wednesday night.The hacker group from Saudi Arabia, dubbed OurMine, claimed responsibility for the hack, posting a message on both HBO’s official Twitter and Facebook accounts, which read: “Hi, OurMine are here, we are just testing your security, HBO team, please contact us to upgrade the security,” followed by a contact link for the group.This message was followed by another one, wherein hackers asked people to make the hashtag #HBOhacked trending on Twitter, which it did.Ourmine is the same group of hackers from Saudi Arabia that previously compromised social media accounts of major companies CEOs, including Twitter CEO Jack Dorsey, Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Facebook-owned virtual reality company Oculus CEO Brendan Iribe.
In most of the cases, Ourmine hackers gain access to the social media accounts by credentials exposed in previous, publicly known data breaches.

However, the hacking group does not seem to ever go beyond just demonstrating its ability to take over the account, without doing much damage to the accounts or its protected information.
OurMine offers companies security against hacking, charging up to $5,000 for a “scan” of their social media accounts, site security holes, and other security vulnerabilities, and advertises its commercial services by breaking into famous accounts.HBO managed to remove the offending tweets shortly after the hackers posted them.
Just yesterday, in a devastating blunder, HBO Spain accidentally aired Episode 6 of Game of Thrones season 7 five days prior to its official premiere.
The popular entertaining company is also facing a threat from hacker or group of hackers who claimed to have obtained nearly 1.5 terabytes of information from HBO.
Over two weeks ago, the unknown hackers dropped episodes of “Ballers” and “Room 104,” along with a script of the fourth episode of Game of Thrones on the internet.
This leak was followed by another dump of a half-gigabyte sample of stolen data, including the company’s emails, employment agreements, balance sheets, and the script of the upcoming GOT episode, demanding a ransom—nearly $6 Million in Bitcoins.Although it was revealed that the company offered hackers $250,000 for extending the ransom payment deadline by one week, the proposal apparently failed to satisfy hackers, and they threatened to release more data every Sunday until the full ransom was paid.

Cyberspies Are Using Leaked NSA Hacking Tools to Spy On Hotels Guests

An infamous Russian-linked cyber-espionage group has been found re-using the same leaked NSA hacking tool that was deployed in the WannaCry and NotPetya outbreaks—this time to target Wi-Fi networks to spy on hotel guests in several European countries.
Security researchers at FireEye have uncovered an ongoing campaign that remotely steals credentials from high-value guests using Wi-Fi networks at European hotels and attributed it to the Fancy Bearhacking group.
Fancy Bear—also known as APT28, Sofacy, Sednit, and Pawn Storm—has been operating since at least 2007 and also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election.The newly-discovered campaign is also exploiting the Windows SMB exploit (CVE-2017-0143), called EternalBlue, which was one of many exploits allegedly used by the NSA for surveillance and leaked by the Shadow Brokers in April.
EternalBlue is a security vulnerability which leverages a version of Windows’ Server Message Block (SMB) version 1 networking protocol to laterally spread across networks and also allowed the WannaCry and Petya ransomware to spread across the world quickly.
Since the EternalBlue code is available for anyone to use, cyber criminals are widely trying to use the exploit to make their malware more powerful.
Just last week, a new version of credential stealing TrickBot banking Trojan was found leveraging SMB to spread locally across networks, though the trojan was not leveraging EternalBlue at that time.
However, researchers have now found someone deploying the exploit to upgrade their attack.

“To spread through the hospitality company’s network, APT28 used a version of the EternalBlue SMB exploit,” FireEye researchers write. “This is the first time we have seen APT28 incorporate this exploit into their intrusions.”

Researchers have seen ongoing attacks targeting a number of companies in the hospitality sector, including hotels in at least seven countries in Europe and one Middle Eastern country.

Here’s How the Attack is Carried Out

The attacks began with a spear phishing email sent to one of the hotel employees. The email contains a malicious document named “Hotel_Reservation_Form.doc,” which uses macros to decode and deploy GameFish, malware known to be used by .
Once installed on the targeted hotel’s network, GameFish uses the EternalBlue SMB exploit to laterally spread across the hotel network and find systems that control both guest and internal Wi-Fi networks.

Once under control, the malware deploys Responder, an open source penetration testing tool created by Laurent Gaffie of SpiderLabs, for NetBIOS Name Service (NBT-NS) poisoning in order to steal credentials sent over the wireless network.

While the hacking group carried out the attack against the hotel network, researchers believe that the group could also directly target “hotel guests of interest”—generally business and government personnel who travel in a foreign country.
The researchers revealed one such incident that occurred in 2016 where Fancy Bear accessed the computer and Outlook Web Access (OWA) account of a guest staying at a hotel in Europe, 12 hours after victim connected to the hotel’s Wi-Fi network.
This is not the only attack that apparently aimed at guests of hotels. South Korea-nexus Fallout Team (also known as DarkHotel) has previously carried out such attacks against Asian hotels to steal information from senior executives from large global companies during their business trips.
Duqu 2.0 malware also found targeting the WiFi networks of European hotels used by participants in the Iranian nuclear negotiations. Also, high-profile people visiting Russia and China may have their laptops and other electronic devices accessed.
The easiest way to protect yourself is to avoid connecting to hotel Wi-Fi networks or any other public or untrusted networks, and instead, use your mobile device hotspot to get access to the Internet.