Security Experts:

Feedback Friday: Executives Targeted in 'Darkhotel' Attacks - Industry Reactions

Kaspersky Lab recently analyzed the activities of a threat group that has been targeting executive business travelers in the Asia-Pacific region.

Feedback Friday: WireLurker Malware

The actors behind the cyber espionage campaign dubbed "Darkhotel" use various techniques to distribute their sophisticated pieces of malware, such as highly customized spear-phishing, malicious Wi-Fi networks, and P2P sharing websites.

The attackers, which appear to speak Korean, have been compromising the networks of luxury hotels for the past four or five years, attempting to trick chief executives, senior vice presidents, sales and marketing directors, and researchers into downloading a backdoor disguised as software updates. Some of the pieces of malware used in these attacks date back to 2007, Kaspersky said.

Thousands of Darkhotel victims have been spotted all over the world, but most of them appear to be located in Japan, Taiwan, China, Russia and Korea. 

Security experts shared their thoughts on this campaign and provided some important recommendations for executives who travel often and don't want sensitive corporate information to end up in the hands of cyber spies.

And the Feedback Begins...

Carl Wright, General Manager for TrapX Security:

"Organizations must understand that hackers are always looking for the path of least resistance. While enterprises today are generally doing a better job of securing their networks against intrusions from outsiders, they're falling short when it comes to securing devices outside the corporate network.


As a result of this and an ever-increasing mobile workforce, we're seeing hackers shifting their attention from attacking organizations head-on through their network and instead concentrate their efforts on individuals outside the corporate firewall. And what a better place to reach them than at the hotels they're staying at while they're on the road.


Executives must begin to treat every hotel, plane, bus, cab, cafe etc. as an extension of their corporate office and as such, they need to subject themselves to the same level of security and best practices imposed by their organization's IT teams. This includes not clicking on suspicious links and making sure their communications to corporate HQ are secured through a proper VPN tunnel."

Darkhotel Espionage campaigns targets users in hotels

Jack Daniel, Strategist at Tenable Network Security:

"Recent stories including the Darkhotel attacks have made it clear that travelers need to assess their information security risks and take reasonable precautions to protect their systems and information. As always, context is critical in deciding what is reasonable in your situation- for some travelers a little extra caution may be all that is needed, for others more aggressive actions such as dedicated (and possibly even disposable) hardware may be required.

A few universal basics can help everyone. Start with strong authentication, including using two-factor authentication everywhere possible and keeping your second factor devices (tokens, phones, cards, etc.) under your control at all times. Use VPNs any time you connect to any network not under your (or your organization¹s) control. Since different networks sometimes interfere with different VPN technologies it is a good idea to have more than one VPN endpoint to connect to, and ideally use more than one VPN technology (IPsec, SSL, etc.) to improve your chances of establishing a secure connection. Other fundamentals include taking no more information than you need for the trip, and limiting the systems and information you access while traveling.


Depending on the type and amount of technology you travel with, it may be best to simply keep all of your digital equipment with you at all times. For more advanced tips, such as the use of Wi-Fi firewalls, consult a trusted security professional."

Idan Tendler, Fortscale CEO:

"The DarkHotel malware is just more evidence of the troubling vulnerability of networks when it comes to phishing campaigns and credentials theft. It is one of the reasons that networks will need turn their focus internally and adopt a more aggressive approach to security that includes analyzing users.


If a user's behavior is thoroughly analyzed and profiled, an attacker could steal the user credentials but can't imitate his historic behavior, which can immediately trigger red flags to the security team for deeper investigation."

Jared DeMott, security researcher at Bromium:

"Wi-Fi attacks are a real threat, and not just in hotels. At most free Wi-Fi spots there is usually no guidance on secure connection: the user is left to figure it out, and hope it just works. Traveling business people typically are not technical experts either. So, using a device that prefers a VPN is helpful in preventing snooping once connected.  But, if initial connection pages attack with 0-day exploits, the browser is, as usual, a potential weak link without a way to isolate attacks.


I'd advise people to stay off Wi-Fi, in favor of a mobile hotspot. Understandably that can be difficult while in planes, or overseas where mobile devices may not function or be prohibitively expensive." 

Alex Cox, Senior Manager, RSA-FirstWatch:

"My advice to travelers wishing to stay secure is to opt for the "overly paranoid" approach.


When executives travel they should assume that any open wifi access point has the potential to be malicious, especially in "convenience" areas, where Internet access is provided as a service, probably without a lot of security forethought. They should consider using an Internet access service through a portable wifi device via a cellular network (a MiFi is a popular version). This gives the user a self-contained source of internet access that is for their use only, and this method of connectivity has proven to be one of the more secure as far as eavesdropping and manipulation. That said, it must be configured and used correctly.


If an executive is travelling in a high-risk area, they should consider that any time their device is out of their direct physical control (airport, hotel room, vehicle, etc.) it has the potential to be tampered with. With that in mind, the traveler should keep physical control of the device as much as possible. It's also a good idea for a high-risk traveler to bring a "clean" laptop and/or smartphone or tablet that doesn't involve any of their work outside of what is currently needed. While traveling users should have increased suspicion of update notifications, emails with attachments and unknown links, or the request to install "helper" apps in order to access something.


It's important to adopt an intelligence-focused mindset, to help understand the threat vectors and attackers that may be targeting the traveler."

John Dickson, Principal at The Denim Group:

"I think the pressure from clients, shareholders or deadlines puts executives in a situation where they rarely think twice about hopping on a hotel Wi-Fi to conduct business. Couple that with the trust in brands – executives would assume Hilton, Hyatt, and others provide information security in addition to physical security and a clean room – and you have a dangerous mix.


Connecting [to Wi-Fi] itself is not completely terrible, but users should VPN-in as soon as they connect to the network for both e-mail and browsing purposes. Also, they should make sure their laptops and mobile devices have the most recent software updates, to make their computing devices less vulnerable to known, often exploited vulnerabilities. The thing to remember is that most security issues occur when two things happens: (1.) A user-initiated action, like clicking on an attachment or link or visiting a site hosting malware; and (2.) a latent vulnerability exists on the computing devices from which the user is browsing.


This was a well thought-out attack, and like most great attacks, is less about the technology and more about exploiting a known trust mechanism, in this case the strength of hotel chains’ brands."

Oliver Tavakoli, CTO of Vectra Networks:

"There are two lessons that can be learned from the DarkHotel issue. The first is security architectures must be able to protect against attacks that exploit mobile users on guest Wi-Fi networks. The second is in the fast evolving threat landscape, "what the malware is doing" is more important than "what the malware is.


The BYOD Mobile Security Report published by the LinkedIn InfoSec Community revealed that exploits entering organizations via mobile devices is a top security concern in 2014. It is not possible to completely protect users from exploits when they travel and use public-access Wi-Fi networks at coffee shops or hotels. However, it is possible to detect the activities of an attacker who has breached the network perimeter through a traveling employee's laptop. In a targeted attack, the attacker will use the infected laptop to perform reconnaissance, spread laterally, acquire data, and ultimately exfiltrate it in as stealthy a manner as possible. Real-time breach detection uses machine learning to detect these behaviors among the chatter in the network, even when the exploit or malware "walks" into an organization on a user's laptop.

 

Just like there were multiple iterations of Conficker and the malware that was used to attack Target was "tweaked," there could one day be a "DarkHotel 2." Naming malware may satisfy a human need or assist in knowing whether the right detection signatures are deployed, but it is not relevant in advanced threat defense. Advanced threats, even when they start with simple tactics like spear phishing, are stealthy by nature and will use malware and C&C channels that slip past perimeter and endpoint security that use signatures and reputation lists. Detecting what the malware is doing will always have a higher likelihood - and multiple opportunities - of detecting a targeted attack than knowing what the malware is. Think of it this way, if you can name it, then it is no longer an advanced threat or a targeted attack. Ignoring the malware may only relegate you to being one of its first victims, and that is no fun."

Ian Amit, ZeroFOX Vice President:

"First things first – nothing is revolutionary about Darkhotel. It uses the same tactics that penetration testers have been using at red team engagements for years. The only surprise is that the attack was found, albeit with a delay of 7 years.

Darkhotel leverages publicly available information and past behaviors to predict where and when an executive is traveling. Having that information at hand is critical for launching a pinpoint attack, and in most cases can be derived from a simple social media search. Once the target is located, the attack comes via the hotel wireless network. As usual, the human factor plays a lead role in enabling such attacks, and unfortunately, most of the information needed can be found on social media.

When traveling, follow the rule "no changes allowed" – no updates, no downloads, no new software or hardware installations. This will prevent almost every malware attack. For the extremely security-conscious traveler, a freshly installed laptop and phone are recommended, both of which should be disposed of at the end of the trip."

Anup Ghosh, Founder and CEO, Invincea:

"The DarkHotel campaign sheds light on risks business travelers face when leaving the four walls of their enterprise networks. Business travelers need access to the Internet, of course, and the hotel networks is usually the gateway. Even if they are employing VPNs, the access point is the local hotel wireless net prior to being able to login via VPN. At this juncture, we have seen not only rogue Flash updates, but also drive-by exploits hosted on these hotel network pages that silently infect the traveller's machine.


This isn't confined to hotel networks, of course, as any public network with a network access login (coffee shops, airports) can be compromised accordingly. Airports would be particularly rich for business travelers and many incorporate advertising that can be subverted via third party ad networks.


Bottomline is business travelers need end point protection that stops targeted attacks and novel malware without requiring the corporate network."

Tal Klein, VP of Strategy for Adallom:

"Captive portals are basically dressed up Men-in-the-Middle. I don't particularly understand the hype around DarkHotel given that tools like Hak5's Pineapple have demonstrated the ease with which people can be compromised by trusting captive portals, especially in hotel settings. My advice: Invest in a mobile carrier Mi-Fi. Most hotel internet connections are unbearably slower and more expensive than a Mi-Fi anyway."

Ian Pratt, Co-founder & EVP, Products at Bromium:

"Attacks using Wi-Fi captive portals are certainly on the rise. The networks at hotels are particular attractive as information about the user's name and the organization they work for is frequently available, enabling very targeted attacks. It is common for hotels to outsource provision of networking services, and hence these third parties become attractive targets to attackers to target visitors staying at many hotels. In some parts of the world state security services specifically take advantage of this.

 

A VPN is unable to help protect against many of these attacks. Most Wi-Fi networks require you to successfully sign-in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised. Bringing a VPN up at this point plays directly into the attackers hands, bringing the infection onto the enterprise network."

Paul Lipman, CEO of iSheriff:

"Darkhotel illustrates a fundamental hole in the typical approach to corporate cybersecurity. Organizations spend many millions of dollars to protect their networks against outside threats, investing in ever more sophisticated ways to defend their network infrastructure, applications, and data from attack. Despite all of this investment, roaming users are typically protected with nothing more than endpoint anti-virus, a technology that is woefully inadequate to protect against advanced persistent threats such as Darkhotel. Even worse, when an infected user later comes back into the office, any malware infection picked up “on the road” can instantly spider out across the network, multiplying the risk by orders of magnitude.

 

A cloud-based Web security solution provides a persistent layer of protection for roaming users, wherever or however they are connecting to the Internet. These services are constantly updated to cover the latest advanced threats, identifying them in the cloud in real-time, and blocking them before they can ever reach an end user’s device. In the case of Darkhotel, a user connecting through a cloud security layer would be fully protected through a “secure tunnel” from the device to the cloud security provider."

Chris Messer, vice president of technology at Coretelligent:

"DarkHotel is a moderate threat for unsuspecting and non-technical users, and for users and organizations that have lax security safeguards present on traveling employee or executive devices.

 

This type of attack requires the potential victim to download a compromised update such as Adobe Flash or Google Toolbar from a compromised link or pop-up browser window. The user is then tricked into installing these updates as the attacker uses bogus digital certificates to "sign & validate" the compromised software to lead the user to believe they came from a trusted source. This compromised application then installs additional malicious software (Trojan, keylogger, etc.) on the victim's machine, and then allows the attacker to track and collect data from their machine at will.

 

The good news is that this type of attack can be prevented if users follow good security practices and have reasonable security software and precautions put in place by IT:

 

• Individuals should avoid hotel wired and wireless Internet services all together, and instead rely on a company-provided mobile hotspot device, or tether via their mobile device. When individuals are required to leverage a hotel's wired or wireless Internet, they should avoid performing any system administrative tasks or updates.

 

• Users should only transact business over a secure VPN connection and HTTPS secured sites. They should avoid sensitive sites such as banking sites for the duration of the hotel stay, if at all possible.

 

Users should never click on any advertisements via the hotel Wi-Fi, and after logging into the wireless, make it a point to close and re-open their browsers to avoid re-using a questionable session.

 

• Individuals should ensure that they have a robust antivirus suite installed on their machine that has some sort of web filtering component. 

 Feel free to add your thoughts in the comments below, and until Next Friday...Have a Great Weekend!

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.