Connect with us

Hi, what are you looking for?

HEADLINES

Business execs staying in ‘Darkhotels’ fall prey to an elite spying crew

For at least the past four years, a “Darkhotel” espionage campaign has been lurking in the shadows stealing sensitive data from selected corporate executives staying in luxury hotels, according to Kaspersky Lab’s Global Research and Analysis Team.

For at least four years already, a “Darkhotel” espionage campaign has been lurking in the shadows stealing sensitive data from selected corporate executives staying in luxury hotels, according to Kaspersky Lab’s Global Research and Analysis Team.

The “Darkhotel” crew never goes after the same target twice. They perform operations with surgical precision, getting all the valuable data they can from the first contact, deleting traces of their work and melting into the background to await the next high profile individual.

The most recent travelling targets include top executives from the US and Asia doing business and investing in the APAC region: CEOs, senior vice presidents, sales and marketing directors and top R&D staff have all been targeted.

Who will be next? This threat actor is still active, Kaspersky Lab warns.

Advertisement. Scroll to continue reading.

How the hotel attack works

The Darkhotel actor maintains an effective intrusion set on hotel networks, providing ample access over the years, even to systems that were believed to be private and secure.

They wait until, after check-in, the victim connects to the hotel Wi-Fi network, submitting his room number and surname at the login.

The attackers see him in the compromised network and trick him into downloading and installing a backdoor that pretends to be an update for legitimate software – Google Toolbar, Adobe Flash or Windows Messenger.

The unsuspecting executive downloads this hotel “welcome package”, only to infect his machine with a backdoor, Darkhotel’s spying software.

Advertisement. Scroll to continue reading.

Once on a system, the backdoor has been and may be used to further download more advanced stealing tools: a digitally-signed advanced keylogger, the Trojan ‘Karba’ and an information-stealing module.

These tools collect data about the system and the anti-malware software installed on it, steal all keystrokes, and hunt for cached passwords in Firefox, Chrome and Internet Explorer, Gmail Notifier, Twitter, Facebook, Yahoo! and Google login credentials, and other private information.

Victims lose sensitive information – likely the intellectual property of the business entities they represent. After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding.

Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab said “For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior. This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”

However, Darkhotel malicious activity can be inconsistent: it is indiscriminate in its spread of malware alongside its highly targeted attacks. Read more about these specific malware delivery vectors here.

Advertisement. Scroll to continue reading.

“The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools,” Baumgartner added.

How to outsmart Darkhotel’s tricks

When traveling, any network, even semi-private ones in hotels, should be viewed as potentially dangerous.

The Darkhotel case illustrates an evolving attack vector: individuals who possess valuable information can easily fall victim to Darkhotel itself, as it is still active, or to something similar to a Darkhotel attack.

To prevent this, Kaspersky Lab has the following tips:

Advertisement. Scroll to continue reading.

1. Choose a Virtual Private Network (VPN) provider – you will get an encrypted communication channel  when accessing public or semi-public Wi-Fi;

2. When traveling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.

3. Make sure your Internet security solution includes proactive defense against new threats rather than just basic antivirus protection

Advertisement. Scroll to continue reading.

You May Also Like

White Papers

The study tested 2,000 UK and US consumers, exposing them to a series of real and deepfake content. The results are alarming: only 0.1%...

HEADLINES

Deepfakes pose significant threats and risks, with nearly half of companies worldwide reporting incidents in 2024, according to industry reports. HONOR’s innovative solution immediately...

HEADLINES

The Philippines’ global ranking for local threats rose from 76th to 66th, highlighting the need for stronger cybersecurity measures.

HEADLINES

Despite 65% having adopted generative artificial intelligence (GenAI capabilities), 89% of IT leaders are concerned that flaws in GenAI cybersecurity tools could put their...

APPS

PSBank is reinforcing its commitment to security through key enhancements to its PSBank Mobile app.

White Papers

Hyper-personalized attacks and agent AI subversion will require industry-wide effort to root out and address. Business leaders should remember that there’s no such thing...

HEADLINES

GCash, a financial super app and cashless ecosystem, reaffirmed its commitment to trust, security, and collaboration with customers, stakeholders, and law enforcement to ensure...

HEADLINES

Senator Mark Villar recently filed a resolution seeking a senate inquiry on the trade of International Mobile Subscriber Identity (IMSI) catchers, which allow fraudsters...

Advertisement