Researchers say the APT28 hacking group has scraped the EternalBlue exploit from Shadow Brokers’ public dump and is using it to steal data from hotel guests across Europe.
The APT28 hacking group is behind a string of attacks – but this is the first time it has used EternalBlue.Image: iStock
A hacking group accused of linked meddling in the run up to the US presidential election is harnessing the Windows exploit which made WannaCry ransomware and Petya so powerful — and using it to perform cyberattacks against hotels in Europe.
Researchers at FireEye have attributed a campaign to remotely steal credentials from guests using Wi-Fi networks at hotels in Europe to APT28 — also known as Fancy Bear — a hacking organisation which many security firms have linked to Russia’s military intelligence.
The attack exploits EternalBlue, a security vulnerability which leverages a version of Windows’ Server Message Block (SMB) networking protocol in order to laterally spread through networks.
The exploit, one of many which was allegedly known by US intelligence services and used by the NSA for surveillance, was leaked and published by the Shadow Brokers hacking group.
With the code available for anyone to see, it was perhaps only a matter of time before others looked to leverage it — as demonstrated by the WannaCry ransomware epidemic and the subsequent Petya outbreak.
A number of cyber criminal groups are attempting to use EternalBlue to boost their own malware, but it’s the first time APT28 have been spotted attempting to do so.
“This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version,” Cristiana Brafman Kittner, senior analyst at FireEye, told ZDNet.
The attack process begins with a spear-phishing campaign, which targets multiple companies in the hospitality industry with hotels in at least seven European countries and one Middle Eastern country, which are sent emails designed to compromise networks.
Messages contain a malicious document “Hotel_Reservation_From.doc” containing a macro which if successfully executed, decodes and deploys GameFish — which researchers describe as APT28’s signature malware.
Once GameFish is installed on the network, it uses EternalBlue to worm its way through the network and find computers responsible for controlling both guest and internal Wi-Fi networks. Once in control of these machines, the malware deploys an open source Responder tool, allowing it to steal any credentials sent over the wireless network.
While the attack is carried out against the network as whole, FireEye suggests that “hotel guests of interest could be directly targeted as well” — government and business personnel have previously been of interest to APT28.
Researchers note that in one incident, a victim was compromised after connecting to a hotel network, but that the attackers didn’t immediately take action — they waited 12 hours before remotely accessing the systems. However, the login originated from the same subnet indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network.
The technique also exploits single factor user authentication — using two factor authentication makes it harder for the hackers to break into targeted accounts.
These attacks against European hotels – which FireEye have attributed to APT28 with “moderate confidence” – share a number of similarities with another advanced hacking and cyberespionage campaign against the hospitality sector, known as DarkHotel.
The group behind DarkHotel also compromises hotel Wi-Fi connections and combines it with spear phishing attacks to compromise specific targets.
However, FireEye says the two campaigns aren’t linked and that DarkHotel — also known as Fallout Team — looks to be the work of a “Korean peninsula-nexus cyber espionage actor” and not APT28.
“While the previous targeting of victims through hotel public Wi-Fi by Fallout Team is similar to the latest APT28 campaign, these are two separate actors conducting operations for national security interests in support of their respective state sponsor,” said Kittner.
“Further, there are technical differences between how each actor conducted their operation. Fallout Team presented fake software updates to users while APT28 is getting passwords from Wi-Fi traffic,” she added.
FireEye warns that publicly accessible Wi-Fi networks present a significant threat and “should be avoided when possible”.
With the public release of the EternalBlue exploit, it’s unfortunately unsurprising that hacking groups are looking to harness that and other Vault7 leaks for their own gain.
While the idea of these exploits being used to supercharge cyber-criminal gangs is bad, in the hands of advanced state-backed actors like APT28, malware could do even more damage.