An infamous Russian-linked cyber-espionage group has been found re-using the same leaked NSA hacking tool that was deployed in the WannaCry and NotPetya outbreaks—this time to target Wi-Fi networks to spy on hotel guests in several European countries.
Security researchers at FireEye have uncovered an ongoing campaign that remotely steals credentials from high-value guests using Wi-Fi networks at European hotels and attributed it to the Fancy Bearhacking group.
Fancy Bear—also known as APT28, Sofacy, Sednit, and Pawn Storm—has been operating since at least 2007 and also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election.
The newly-discovered campaign is also exploiting the Windows SMB exploit (CVE-2017-0143), called EternalBlue, which was one of many exploits allegedly used by the NSA for surveillance and leaked by the Shadow Brokers in April.
EternalBlue is a security vulnerability which leverages a version of Windows’ Server Message Block (SMB) version 1 networking protocol to laterally spread across networks and also allowed the WannaCry and Petya ransomware to spread across the world quickly.
Since the EternalBlue code is available for anyone to use, cyber criminals are widely trying to use the exploit to make their malware more powerful.
Just last week, a new version of credential stealing TrickBot banking Trojan was found leveraging SMB to spread locally across networks, though the trojan was not leveraging EternalBlue at that time.
However, researchers have now found someone deploying the exploit to upgrade their attack.
“To spread through the hospitality company’s network, APT28 used a version of the EternalBlue SMB exploit,” FireEye researchers write. “This is the first time we have seen APT28 incorporate this exploit into their intrusions.”
Researchers have seen ongoing attacks targeting a number of companies in the hospitality sector, including hotels in at least seven countries in Europe and one Middle Eastern country.
Source: The Hacker News