Unwanted Hotel Guests: Russia's Fancy BearFireEye Says the Hackers Are Launching Sneaky Hotel Wi-Fi Attacks
Experts have long warned that connecting to unknown networks is potentially risky since those who have access to one can spy on traffic. Now FireEye says new research has uncovered signs of a stealthy attack that is intended to steal authentication credentials from hotel patrons' computers.
The attack leaves virtually no traces and is almost impossible to stop, says Bryce Boland, FireEye's Asia-Pacific CTO.
"There's no evidence that there was any kind of compromise at all," Boland says. "From an attacker perspective, it's wonderful. They get to steal credentials, and they get to do it in a way that leaves no forensic evidence on the victim's computer."
The group behind the attack is a familiar one: APT28, also known as Fancy Bear, the bold Russian group blamed for the attacks against the Democratic National Committee, the World Anti-Doping Association and many others (see Hackers Dump US Olympic Athletes' Drug-Testing Results).
FireEye says Fancy Bear is recycling a leaked NSA exploit, EternalBlue, which was used in two recent devastating ransomware attacks. The group is also using a tool developed by a security company to take advantage of a Windows redundancy feature, the NetBIOS Name Service, to trick machines into divulging login credentials.
Although both attack methods are well known, it shows that APT28 continues to expand its capabilities and tactics, FireEye analysts Lindsay Smith and Ben Read write in a blog post.
FireEye says the investigation kicked off when it detected a spear-phishing campaign against the hospitality industry in seven European countries and one in the Middle East.
The emails contained a malicious Microsoft Word document with a macro that tries to install a standard APT28 backdoor called GAMEFISH, also known as Sednit, Seduploader, JHUHUGIT and Sofacy.
Once inside a hotel's network, APT28 seeks to embed itself in the machines that control corporate and guest Wi-Fi networks. To move through a hotel's network, APT28 uses EternalBlue, an exploit that targets a vulnerability in the Windows server message block (SMB) version 1 file-sharing protocol.
In April, a group called The Shadow Brokers leaked the exploit and vulnerability, which is believed to have come from the National Security Agency. Microsoft patched the flaw in March. But the exploit embraced by attackers in the back-to-back WannaCry and NotPetya ransomware attacks, which showed many organizations still had not patched (see Ransomware Smackdown: NotPetya Not as Bad as WannaCry).
Once APT28 has its hooks in a hotel's network, it then tries to grab authentication credentials stored for various services on guests' computers.
When a Windows computer connects to any network, it automatically tries to re-establish connections to resources, such as a printer, that it usually expects to find, say, when someone is at the office, Boland says.
This is where APT28 jumps in. When a Windows machine starts asking where certain resources are, it will first query DNS. If DNS isn't available, it can ask other machines on the local network to give it the answer via the NetBIOS Name Service.
A malicious machine can falsely claim it is that particular service, causing the querying machine to send it its hashed credentials. It's an attack known as NetBIOS Name Service poisoning.
APT28 doesn't reinvent the wheel. To execute the poisoning attack, it's using Responder, a penetration testing tool developed by Trustwave's SpiderLabs, according to FireEye.
Boland says it is possible for an attacker to capture a large number of credentials from machines. Users are unaware that this is happening, and there are no artifacts left on the compromised machine.
Attackers then have to crack the hashed credentials. But when that's done, they could connect back to the workstation. But FireEye believes the attackers are then using the credentials to connect to the victim's home network.
Defense? There Isn't One
The tricky part of this attack is that there's no good defense aside from not connecting to an untrusted hotel network. The attack can be executed before a secure VPN connection can be made, Boland says.
"You're racing against your computer trying to reconnect network resources when it sees that it has an active internet connection versus getting your VPN established," Boland says. "The reality is as soon as you connect to that hotel network Wi-Fi, this NetBIOS name server man-in-the-middle attack using Responder will work."
One option is to disable NetBIOS Name Service, which is usually enabled by default on services and devices. But Boland says if organizations have not architected their Microsoft services to avoid using NetBIOS, it could potentially cause significant disruptions if flicked off.
"You could literally disable your entire business pretty quickly," he says.