The DarkHotel cyberespionage campaign making headlines now is not your typical advanced persistent threat (APT). According to a report released by Kaspersky Lab, a couple of key elements make DarkHotel unique among cyberespionage threats.
First, DarkHotel doesn't appear to be aimed at nation-states, or government agencies or officials. Instead, DarkHotel specifically targets high-profile business executives: CEOs, senior vice presidents, sales and marketing directors, and top research & development staff. In other words, it's designed more for corporate espionage than state secrets.
The second unique aspect of the DarkHotel attacks is that they're not that sophisticated. The Kaspersky Lab report reveals advanced characteristics, but for the most part the attacks rely on poor security practices while connecting to public Wi-Fi networks in hotels.
The Kaspersky Lab report explains, "This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics." Kaspersky also states that the attacks are stealing and re-using legitimate digital certificates to sign the malicious code so it appears legitimate.
Kaspersky researchers visited some of the hotels where DarkHotel infections have occurred, but they did not attract DarkHotel attacks. This indicates that the attacks are not random, but instead target specific individuals.
According to the Kaspersky report, "About 90 percent of the infections appear to be located in Japan, Taiwan, China, Russia and South Korea, partly because of the group's indiscriminate spread of malware. Overall, since 2008, the infection count numbers in the thousands."
DarkHotel exploits known weaknesses
Ultimately, though, the Achilles heel that allows DarkHotel to succeed is the poor security model of hotel networks. Kevin Epstein, VP of Advanced Security and Governance for Proofpoint, explained, "This attack is effectively a variant on a classic phishing attack--when you connect to a public network (or email, or bank account) you're prompted in your browser to enter credential information. Attackers put a fake page or fake download in your way--and too often, users unthinkingly accept the download and/or enter the credential information."
"This type of attack isn't anything new," stressed Luke Klink, Security Strategy Program Consultant with Rook Security. "Hotels provide a greater chance of success against targets through networks that are often poorly secured. This is a process and education issue, not just a technical issue."
VPN is often cited as a solution for insecure hotel networks. However, in order to establish and use a VPN connection, you first have to connect to the wired or Wi-Fi network provided by the hotel--and that is where this attack occurs. Amichai Shulman, CTO of Imperva, suggests, "Sophistication in this case is not attributed to the infection of the guest but actually to being able to remain under the hotel IT security personnel's radar for a long time (presumably, according to the report) and be able to target specific guests rather than a widespread infection. Hotel room Internet connections have been considered generally insecure for many years, indicating that such attacks are not rare."
Epstein summed up the threat, "This is at least as much social engineering as technical in nature. One can imagine that even a seasoned traveler, under stress and lacking in sleep, might click once on a well-disguised attack... and it only takes once."
Chris Messer, vice president of technology at Coretelligent, offers this advice for business travelers: "Individuals should avoid hotel wired and wireless Internet services all together, and instead rely on a company provided mobile hotspot device, or tether via their mobile device. When individuals are required to leverage a hotel's wired or wireless Internet, they should avoid performing any system administrative tasks or updates (Windows Updates, Browser or plugin updates, etc.)."
Connecting to your own separate network removes the opportunity for attackers to dupe you with fake login pages, and it prevents your network traffic from being exposed to everyone else connected to the hotel network.