Following four years worth of research, research emerged from Kaspersky Lab of an espionage campaign that stole sensitive data from selected corporate executives travelling abroad.
Named “Darkhotel”, it comprised both targeted attacks and botnet style operations and focused on C-level executives by hitting targets while they are staying in luxury hotels. It found that once connected to a hotel’s WiFi network, the attacker tricks the user into downloading a backdoor masquerading as legitimate software, infecting the device with the “Darkhotel” spying software.
Once on a system, the backdoor has been, and may be used, to further download more advanced stealing tools: a digitally-signed advanced keylogger, the Trojan ‘Karba’ and an information-stealing module. These tools collect data about the system and the anti-malware software installed on it, steals all keystrokes, and hunt for cached passwords in Firefox, Chrome and Internet Explorer.
It also looks for Gmail Notifier, Twitter, Facebook, Yahoo! and Google login credentials, as well as other private information. Is this a new threat, or should people be more careful about what they are connecting to outside of the office?
Kurt Baumgartner, principal security researcher at Kaspersky Lab
“This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.
“The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”
Chris Boyd, Malware Intelligence Analyst at Malwarebytes
“The Dark Hotel Malware is a good reminder that any hotel WiFi network is potentially unsafe, and should be treated with caution. Travellers should take the time to research ISPs in the regions they’re visiting and invest in WiFi datasticks.
“Remembering to make use of the corporate VPN wouldn’t go amiss, although anybody conducting business while on the road should be doing this anyway. If the primary threat is pop-ups asking potential victims to install fake Flash files, then perhaps the security teams for those companies should be spending more time educating their CEOs on the dangers of basic social engineering.”
Ian Pratt, co-founder at Bromium
“Even a VPN is unable to help protect against many of these attacks. Most WiFi networks require you to successfully sign-in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their m
achine and compromised. Bringing a VPN up at this point plays directly into the attackers hands, bringing the infection onto the enterprise network.
I don’t think execs are getting enough security education, and they are typically some of the worst at following operational security advice they have been given. Worse, there are many examples of exec’s using their political clout to ask for IT restrictions that other employees face to be removed for themselves, without understanding the consequences. Everyone needs to understand the risk and the appropriate mitigations.”
Mark James, security specialist at ESET
“Often security procedures do not extend to executives who have the authority to say ‘no’ as it often causes inconvenience. It is imperative that these procedures are adhered to and even more so for execs as they have the most sought after data.
“Most companies have some kind of security education, but I am sure if you were to hold a poll most of those trainers would tell you the company executives are very rarely in the audience – yet they are the very targets that have the data worth stealing. Good user education is the very foundation of protecting your data – from the ‘newbie’ right through to the CEO – no one is above being taught how to protect you or your company’s data.”
Amichai Shulman, CTO Imperva
“The WiFi related attacks described in the report are actually more related to hotel internet access than anything else. When connecting to the internet from a hotel room (either wireless or wired) guests are usually first served pages from a hotel portal. These pages were infected by the attackers to deliver malware disguised as common software (Adobe reader, Flash player, etc.).
“Sophistication in this case is not attributed to the infection of the guest, but actually to being able to remain under the hotel IT security personnel radar for a long time (presumably, according to the report) and be able to target specific guests rather than a widespread infection. Hotel room internet connections have been considered generally insecure for many years, indicating that such attacks are not rare.”
Richard Cassidy, senior solutions architect at Alert Logic
“It is feasible to assume that the ‘internet portals’ at the affected locations are being compromised and in many cases, this portal may allow the hacker cell access to backend systems to gain more data on the users they need to target and in other cases to infect that portal with code to facilitate the attack and then delete all traces when successful.
“In this respect we are seeing a very sophisticated attack on the target networks by this cell, who have put a great deal of thought into what information they want, who they are targeting and how to write malware that provides the best chance of getting what they’re after.”
TK Keanini, CTO at Lancope
“This is a product of the fact that the business traveller today must remain connected to their business and that adversaries have found physical and logical ways to access your devices while you are travelling.
“It is not just the executives, but all International travelers must be aware of these threats both physical and logical. They likelihood of these events happening are even higher
than any disease one might contract and we have preventative programs around those.”
Paul Pratley, head of investigations and incident response at MWR Infosecurity
“Attacks over WiFi are certainly becoming more common, however targeted attacks aimed at executives really only happen where the attacker knows the individual is going to be in a certain place at a particular time and of course, known to be connecting to the WiFi network. This may be the case for hotels that are frequented by a particular company, that for instance, is located near to a company HQ and have a standing agreement.
“Execs need a lot more education on the specific risks that are present in the use of untrusted networks of any type and be made aware of what it looks like when they are being tricked into making bad security decisions. Far too many IT security teams trust that their execs will know when something isn’t quite right, rather than showing them the signs of an attempted attack.”
