DarkHotel malware attacks target poorly secured networks, especially in hotels

DarkHotel's strategy is primitive but powerful, seeking out highly placed corporate users via vulnerable public networks.

The DarkHotel cyberespionage campaign making headlines now is not your typical advanced persistent threat (APT). According to a report released by Kaspersky Lab, a couple of key elements make DarkHotel unique among cyberespionage threats.

First, DarkHotel doesn't appear to be aimed at nation-states, or government agencies or officials. Instead, DarkHotel specifically targets high-profile business executives: CEOs, senior vice presidents, sales and marketing directors, and top research & development staff. In other words, it's designed more for corporate espionage than state secrets.

The second unique aspect of the DarkHotel attacks is that they're not that sophisticated. The Kaspersky Lab report reveals advanced characteristics, but for the most part the attacks rely on poor security practices while connecting to public Wi-Fi networks in hotels.

The Kaspersky Lab report explains, "This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics." Kaspersky also states that the attacks are stealing and re-using legitimate digital certificates to sign the malicious code so it appears legitimate.

Kaspersky researchers visited some of the hotels where DarkHotel infections have occurred, but they did not attract DarkHotel attacks. This indicates that the attacks are not random, but instead target specific individuals.

According to the Kaspersky report, "About 90 percent of the infections appear to be located in Japan, Taiwan, China, Russia and South Korea, partly because of the group's indiscriminate spread of malware. Overall, since 2008, the infection count numbers in the thousands."

DarkHotel exploits known weaknesses

Ultimately, though, the Achilles heel that allows DarkHotel to succeed is the poor security model of hotel networks. Kevin Epstein, VP of Advanced Security and Governance for Proofpoint, explained, "This attack is effectively a variant on a classic phishing attack--when you connect to a public network (or email, or bank account) you're prompted in your browser to enter credential information. Attackers put a fake page or fake download in your way--and too often, users unthinkingly accept the download and/or enter the credential information."

"This type of attack isn't anything new," stressed Luke Klink, Security Strategy Program Consultant with Rook Security. "Hotels provide a greater chance of success against targets through networks that are often poorly secured. This is a process and education issue, not just a technical issue."

VPN is often cited as a solution for insecure hotel networks. However, in order to establish and use a VPN connection, you first have to connect to the wired or Wi-Fi network provided by the hotel--and that is where this attack occurs. Amichai Shulman, CTO of Imperva, suggests, "Sophistication in this case is not attributed to the infection of the guest but actually to being able to remain under the hotel IT security personnel's radar for a long time (presumably, according to the report) and be able to target specific guests rather than a widespread infection. Hotel room Internet connections have been considered generally insecure for many years, indicating that such attacks are not rare."

Epstein summed up the threat, "This is at least as much social engineering as technical in nature. One can imagine that even a seasoned traveler, under stress and lacking in sleep, might click once on a well-disguised attack... and it only takes once."

Chris Messer, vice president of technology at Coretelligent, offers this advice for business travelers: "Individuals should avoid hotel wired and wireless Internet services all together, and instead rely on a company provided mobile hotspot device, or tether via their mobile device. When individuals are required to leverage a hotel's wired or wireless Internet, they should avoid performing any system administrative tasks or updates (Windows Updates, Browser or plugin updates, etc.)."

Connecting to your own separate network removes the opportunity for attackers to dupe you with fake login pages, and it prevents your network traffic from being exposed to everyone else connected to the hotel network.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitykaspersky lab

More about AdvancedAPTImpervaKasperskyProofpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place