High-ranking professionals from a range of industries are being infected with malware when they log on to hotel Wi-Fi networks, research from Kaspersky has found. Dubbed ‘Darkhotel’, the APT campaign targeting C-level executives and other senior officials is mostly active in Asia, where 90% of infections have occurred. Based on offensive activity dating back at least as far as 2008, Kaspersky believes infections number in the thousands.
Darkhotel works by spear-phishing targets with a Trojan that poses as legitimate software updates, such as Adobe Flash or GoogleToolbar. Once authorization of the bogus update has occurred, hackers are able to record and collect sensitive data from the connected user’s device via a backdoor.
The research suggests that individual victims are being specifically targeted by Darkhotel.
“This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the Internet,” the report states.
Attempts to trace the source of Darkhotel attacks have proved difficult. Kaspersky Lab honeypot machines failed to attract Darkhotel malware when deployed. In addition, once machines have been infected, the actors delete tools from the hotel network staging point, enabling them to remain hidden.
Security professionals have responded to this incident with a number of suggested solutions. Mark James, ESET security specialist cautioned that: “Often security procedures do not extend to executives who have the authority to say ‘no’ as it often causes inconvenience. It is imperative that these procedures are adhered to and even more so for execs as they have the most sought after data.”
Meanwhile, responding to suggestions that VPNs may present a solution to attacks of this kind, Bromium’s Ian Pratt said: “Even a VPN is unable to help protect against many of these attacks. Most Wi-Fi networks require you to successfully sign-in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised. Bringing a VPN up at this point plays directly into the attackers hands, bringing the infection onto the enterprise network.”