Security Week 49: hacking hotel infrastructure

On November 28, Kaspersky Lab experts published an interesting study on systematic attacks on computers in hotels. There are more than 20 confirmed victims of the campaign, potential – more than a thousand. The investigated attacks are likely to lead two different groups with slight differences in the tools used. Most of the affected hotels are located in Brazil, but hotels with infected infrastructure are also seen in France, Portugal, Italy and other countries.

The study shows the extreme vulnerability of hotel infrastructure: attackers used far from new vulnerabilities in office software and successfully applied social engineering methods. The latter are especially dangerous, since in hotels it is normal to receive and process payment documents from unknown companies, and it is not difficult to force personnel to open an infected document.

In particular, one of the groups used the vulnerability CVE-2017-0199, which allowed arbitrary code to be executed when opening a document both in Microsoft Office (versions 2007–2016) and in the regular Wordpad editor. Using scripts on PowerShell and Visual Basic, the attackers downloaded computer monitoring software, usually a customized version of common malware, in particular RevengeRAT.

In the screenshot above is an example of a phishing email. It is issued on the highest level: it is sent from the domain, one letter different from the real one, on behalf of the real company, with believable attachments. This is what a request for reservation of numbers from a legal entity should look like. When opening an attached MS Word document, the script is run:

This script pulls already the main malware. The customization of computer tracking trojans is mainly aimed at intercepting client credit card numbers. Screenshots of the screen are created at the right moments – when you visit the page with payment information on online platforms:

… and when calling a dialog to send data to the printer. The hotel manager’s infected computer or attacked workstations at the reception will cause your personal and payment data to be sent not only to the hotel’s archive, but also to intruders – in almost real time mode.

This is how a group called RevengeHotels works, and their competitors, known as ProCC, use code similar to the one in the screenshot above to intercept information from the clipboard. The stolen data then goes to the black market – both in the form of a set of tools for accessing an already infected infrastructure, and in the form of credit card numbers, and the high quality of the latter is especially indicated.

According to statistics from the Bit.ly website, whose abbreviated URLs are used in attacks, infected links (sent pointwise) were clicked one and a half thousand times, so the real list of victims can be wider. Protection against such attacks comes down to traditional tips: regular software updates, special control over the machines on which private data is processed, and the like. Alas, for hotels this means additional costs for the service and training of employees.

But experts at Kaspersky Lab recommend that customers use one-time payment methods: this is the only way to protect yourself from theft of funds after visiting a "infected" hotel. An alternative solution may be (unexpectedly) using payment via a smartphone (where temporary payment details are generated) and payment using payment systems that require additional authorization and do not transmit a credit card number.

RESEARCH: at least 20 hotels in LatAm, Europe & Asia targeted in #cyberattack. Infecting hotel desks, cybercriminals retain remote access to the devices, steal, resell hotel guests' credit card data. Even data provided to #OTA is not safe ⇒ https://t.co/Pif3JMh59G #RevengeHotels pic.twitter.com/2hCI89kCGB
– Eugene Kaspersky (@e_kaspersky) November 28, 2019

What else happened:
Payment plugins for Magento websites are often attacked by cybercriminals to steal credit card numbers. This time, the Magento platform site itself was hacked, personal data of users, including physical addresses, was stolen.

Another Kaspersky Lab study closed a dangerous bug in ABB industrial relay protection systems. If you have remote access to the device, it is possible to bypass authorization systems and gain full control.

Another bug was found and fixed in Whatsapp with the possibility of remote operation and access to correspondence. Present in a third-party open source library. According to Trend Micro, the same library is used in more than three thousand other Android applications. In more detail, with code examples and demonstration, the bug is described here.

Kaspersky Lab has published a detailed analysis of spam notifications in browsers – those that are easy to click on and hard to unsubscribe from. The company's experts recommend that you turn off subscription to notifications at all.

The creators of the uBlock Origin ad blocker talked about a new method for bypassing third-party script blocking, which has recently been used in Firefox and Chrome browsers.