Shadow Brokers, the group behind WannaCry, has indirectly transferred the leaked NSA exploit, EternalBlue, to another group of hackers. Fancy Bear or APT28, a notorious group to many cyber security experts across the globe picked up the leaked NSA exploit from a data dump from Shadow Brokers. The public exploit, EternalBlue, caused something of a development rush by hackers to enhance their malware. This lead to the development of WannaCry and NotPetya which had an impact on the global economy. APT28 has used this exploit as part of a campaign to steal from hotel customers. Before we explore the impact of APT28’s malware, let’s review what the core of their malware does.
The name above refers to a security vulnerability that allows for malware to spread laterally across a network by using Windows Server Message Block protocol. The NSA used this exploit for surveillance purposes, but it was stolen and published by the hacking group Shadow Brokers. Packaged with other exploits this can turn a relatively benign malware into something absolutely devastating.
APT28’s Malicious Application
For whatever reason APT28 has decided to focus all of their recent efforts on the hospitality industry. The attack is multi-tiered and very calculated, with a strong focus on Europe and the Middle East. The cyber attack starts with a targeted phishing campaign that was crafted for hotels specifically. The hotels receive a message containing an infected document titled “Hotel_Reservation_Form.doc” which contains a macro. If the macro is executed it decodes and deploys the GameFish malware.
When GameFish is activated the malware works through the EternalBlue exploit to specifically find the set of computers on the network that control guest and company Wi-Fi networks. When GameFish has located and seized control of these computers it deploys a tool that allows for it to steal all credentials sent on the wireless network.
The primary targets of the hotels are usually government and business employees. When a target is compromised they’re not usually aware right away because APT28 doesn’t take action right away. The only deterrent for a guest seemed to be two-factor authentication. High profile targets are especially vulnerable. The attack here is very similar to the DarkHotel attacks in the Korean peninsula.
Preventing Theft on Public Networks
Above you read that two-factor authentication seemed to be the best deterrent against the hackers. However, there are some other methods that can help you stay secure while online.
- Virtual Private Network (VPN):
These are one of the best lines of defense you can have against malicious actors on public wi-fi. When using a VPN your connection to the internet is encrypted, which will make your communications and passwords difficult to access by a hacker. While it’s claimed that no one can monitor your activity, it’s dependent on your actions while connected. The most important tip here is to never use a free VPN, as those providers will likely sell your activity data to the highest bidder. Average price for a VPN can range from $50 per year to about $130 per year.
You should always browse the web using HTTPS, this ensures that communication between your browser and the website is secure as well. These often are the first line of defense against man-in-the-middle attacks. In this case the wi-fi attack acts as a man-in-the-middle, HTTPS needs to be paired with a VPN service listed above.
That familiar term we’ve heard since the 90s. You should always be using a firewall and thankfully they come installed on many computers now. They are able to alert you to attempted access to your computer.
APT28’s malware is insidious and has the ability to capture the information of large groups of people at once. All a hacker needs is the credentials of the right person with enough permissions. Do your best to keep an eye out for not just yourself but your team as well if you are traveling with one.