Targeted Darkhotel Cyberattackers Use Poorly Protected Hotel Networks

The Darkhotel attack campaign uses zero-day exploits and spear phishing attacks to target senior level executives at a wide variety of organizations, but according to Kaspersky Lab, the group increasingly relies on an unusual tactic to infect hard to reach targets.

Darkhotel targets senior level executives and other key personnel by infecting their devices at the hotels they visit, leveraging a web of poorly protected hotel networks to spread their infection onto target laptops and other devices. CEOs, senior vice presidents, sales and marketing directors and their research-and-development staff have been caught in their crosshairs, Kaspersky Lab said in its report (.PDF) about the attack campaign issued today.

"These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region," Kaspersky Lab said. "This hotel network intrusion set provides the attackers with precise global scale access to high-value targets."

[Related: Microsoft Fixes Zero-Day Flaws Used In Targeted Attack Campaigns]

Sponsored post

Kaspersky Lab said the attack group is well funded and its tactics show signs that it may be using data gleaned from larger corporate data breaches. Victims have been identified in the United States, but Japan had the largest number of infections, followed by Taiwan, China, Russia and South Korea, Kaspersky Lab said. Victims of the attacks have been from electronics and automotive components manufacturers, pharmaceutical producers, defense industry sector firms and non-governmental organizations as well as law enforcement and military services, according to the security vendor.

"The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims whereabouts, including name and place of stay," The Kaspersky researchers said in their report. "This paints a dark, dangerous web in which unsuspecting travelers can easily fall."

Solution providers told CRN that the attackers are taking advantage of the hospitality industry, which is plagued with security and configuration issues stemming from a lack of IT resources. About three quarters of incidents target point-of-sale systems, according to the annual Verizon Data Breach Investigations Report, which analyzed more than 63,000 global security incidents in 2013.

Attackers frequently target poorly configured remote access points and systems with weak and default passwords, said David Sockol, president and CEO of security consulting firm Emagined Security. Ongoing retail data breach and target attack campaign news has prompted greater interest in data security and increased the number of opportunities in the pipeline, Sockol said.

"Budgets are starting to be freed up for security projects," Sockol said. "These businesses don't necessarily want to adopt the bleeding edge security products, but they want better processes and a tightly integrated set of defenses."

The increased attention on advanced threats has driven interest in professional security services, driving growth among solution providers that provide incident response and penetration testing and risk assessments.

The Darkhotel attack campaign has been waged over the last five years but peaked in August 2010 and continued through 2013, according to the security vendor. Several attacks identified at hotel networks in 2014 are still under investigation.

"Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more Darkhotel activity in the coming years," Kaspersky Lab said.

The group has used "highly advanced" Adobe Flash zero-day exploits that can bypass sandboxing and other security restrictions in Microsoft Windows and Adobe Systems, Kaspersky Lab said. Visitors to hotel networks are prompted to install software updates that typically contain the malware. Some of the attacks involved using embedded iFrames within hotel networks that redirected browser users to phony installers.

"While setting up the attack, the Darkhotel attackers knew the target’s expected arrival and departure times, room number and full name among other data. This data enables the attackers to present the malicious iFrame precisely to that individual target," Kaspersky Lab said in its report.

The attack group's tactics involve using weakly implemented digital certificates and stolen certs to make their malware appear as legitimate software. Once a backdoor is created, the goal is to keep it open for a lengthy period of time to spy on their targets and steal intellectual property and other data, Kaspersky Lab said. The group is sophisticated enough to pollute peer-to-peer networks and maintains flexible data encryption and attempts to cover its tracks on infected command and control servers it uses as a staging ground for its attacks.