The same leaked NSA hacker tools deployed in the huge WannaCry and NotPetya ransomware outbreaks appear to have been re-used by the Fancy Bear crew alleged to have breached the Democratic National Committee (DNC), according to research out Friday.
The hackers, also known as APT28 and believed by the U.S. government to be directed by Russian intelligence, are abusing a vulnerability – revealed in leaks from the Shadow Brokers, widely believed to contain a chunk of NSA’s digital arsenal – to target hotels and their Wi-Fi networks, in probable attempts to spy on the individuals within, said cybersecurity firm FireEye. The company noted its findings came with “moderate” confidence, though another major threat intelligence service with knowledge of APT28’s activities confirmed it observed the same activity.
The particular flaw, found in an exploitation program known as EternalBlue, was resident in Microsoft Windows’ Server Message Block (SMB), a network file sharing protocol. Though the vulnerability was patched, as the recent ransomware attacks showed, hundreds of thousands of computers remain vulnerable.
Most of the targets in the recent attacks were based in Europe, though one hotel in the Middle East was also on the hit list. FireEye also suspects that agents are visiting the hotels themselves to surveil over Wi-Fi. “We have limited indications that APT28 is seeking to compromise government and business travelers by leveraging in person and remote access to guest Wi-Fi networks at hotels,” the firm wrote in a post today.
FireEye found the attackers were sending tainted files to multiple hospitality companies in at least seven European countries and one Middle Eastern nation. When opened, the fake hotel reservation document would attempt to launch malware, dubbed Gamefish, associated with APT28. Once inside the network, the hackers would spread to other machines using EnternalBlue, in a similar way that WannaCry and NotPetya metastasized. They would search out specific computers controlling both guest and internal Wi-Fi networks. An open source tool Responder would then help the infiltrators steal Wi-Fi usernames and passwords.
Cristiana Brafman Kittner, senior analyst at FireEye, said APT28 had been perpetrating these kinds of attacks since fall of 2016. Records on Google’s VirusTotal malware repository showed samples from the FireEye report were uploaded in July 2017, indicating it was only recently that the hotel attacks were detected. “We have also observed APT28 actively targeting European IT companies, in what could be indicative of potential new methods of compromise which would allow the actor to move downstream from the initial IT victim and infect other sector of interest by proxy,” Kittner added. The same techniques had been put to use by a group associated with China, APT10, she said. “However, consistent with their previous operational practices, APT28 continues to focus on European government entities.”
She didn’t identify any of the individuals or hotels targeted. In previous attacks on hotel Wi-Fi networks, such as the DarkHotel incidents reported in 2014, high-profile individuals in the corporate world were the prize. More recently, security firm BitDefender claimed the same DarkHotel hackers were going after political targets.
The zero-day ‘conundrum’
Some have responded to the Shadow Brokers’ leak of the NSA’s zero-day vulnerabilities (weaknesses for which there was no patch) by claiming the U.S. government should not be hoarding such flaws as it can benefit malicious nation states or criminals like those behind WannaCry.
“Unfortunately when exploit code is weaponized and stockpiled, it increases the time window which systems will remain vulnerable. If the issue had been patched when it was identified then it may not have impacted as many versions of Microsoft Windows products and had less of an impact when leaked,” said Matthew Hickey, CEO of Hacker House, who previously analysed the Shadow Brokers files. “As these vulnerabilities can be stolen, re-purposed and re-used then governments who do so are gambling with the security of the public.”
But Professor Alan Woodward, a security expert from the University of Surrey in the U.K., said there’s a “conundrum” to consider. Such vulnerabilities can be used in offensive government campaigns for the safety of the country, Woodward said.
“If the public were to make demands of, say, the U.S. and U.K. governments that they disclose all vulnerabilities that they found, the public would be putting their countries at a severe disadvantage,” he added.
“You have to trust to their professionalism and judgement to know when to move from using zero-days as an offensive capability to defence. It’s never going to be black and white: the circumstances surrounding each situation will affect how it is handled.
“Part of the strategy in exposing such caches of exploits is to influence the public opinion to try to weaken the government agencies’ hands.”
More Info: www.forbes.com