Fancy Bear bites hotel networks as EternalBlue mystery deepens

The infamous EternalBlue exploit that fuelled the WannaCry and NotPetya attacks earlier this summer has been spotted being used as part of a campaign targeting European hotel visitors.

As an exploit said to have been leaked from the NSA, EternalBlue’s reappearance would be story enough on its own. The fact that infamous Russian hacking group known as Fancy Bear has been said to be behind the attack gives the tale added spice.

The attack itself is basically an attempt to gain persistence on hotel networks, presumably for the purposes of carrying out surveillance on the high-value guests using them.

It’s textbook APT28, aka Fancy Bear, from the use of a boobytrapped Word documents sent to hotels as a way of spreading the group’s favourite Gamefish malware to the way EternalBlue is wielded to spread via unsecured SMB.

One unusual element is NetBIOS Name Service poisoning using the open source Responder tool, which allows the attackers to respond and spoof NBT-NS broadcasts from WINS (Windows Internet Name Service) servers.

Because this is a legacy service, removed from Windows as of Server 2012 R2, this suggests the attackers have knowledge of the unsurprising fact that hotels are using old software.

Hotel networks are not a new interest for hacking groups, as the unconnected 2014 “Darkhotel” attacks, which targeted CEOs, underlines.

From Fancy Bear’s perspective, Eternal Blue is being used here as a means to an end, and one that has clearly had some success.

We’ve covered the group (aka APT28, Sofacy, Strontium) on numerous occasions, usually in connection with attacks alleged to be the work of the Russian state.

A few weeks ago, it emerged that, without mentioning it, in 2016 Microsoft started legal proceedings to seize 70 domains used by the group in an effort to curtail its phishing campaigns.

Coincidentally (or not), in mid March, the company patched the vulnerability exploited by EternalBlue, MS17-010, weeks before a group called the Shadow Brokers made it public. How did Microsoft know about it? Speculation pointed to the possibility that it had been tipped off by the NSA which knew attacks with its leaked tools were likely.

The company’s president and chief legal officer Brad Smith later very pointedly described WannaCry as “yet another example of why the stockpiling of vulnerabilities by governments is such a problem”.

EternalBlue, Fancy Bear, Shadow Brokers: joining the dots here is like unravelling the plot “MacGuffins” made famous by film director Alfred Hitchcock, where the audience thinks it knows what’s important in a story when in fact it’s being craftily misled.

Not knowing what’s going on can be confusing but also pleasurable, as long as everything is explained at the end. It’s where that end will actually end that remains the disconcerting bit.