Monday, November 10, 2014

Darkhotel Malware Targets Travellers via Hotel WiFi


I can't remember where I heard or read this tale recently, but someone was using hotel wi-fi recently and discovered he had access to someone else' computer. I suspect it's unrelated to Darkhotel, but Darkhotel might exploit the same vulnerability.

Here's the story from Wired.

Commenting on the attacks, Ian Pratt, co-founder at Bromium, said:

"Attacks using Wi-Fi captive portals are certainly on the rise. The networks at hotels are particular attractive as information about the user's name and the organisation they work for is frequently available, enabling very targeted attacks. It is common for hotels to outsource provision of networking services, and hence these third parties become attractive targets to attackers to target visitors staying at many hotels. In some parts of the world state security services specifically take advantage of this.

"Even a VPN is unable to help protect against many of these attacks. Most Wi-Fi networks require you to successfully sign-in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised. Bringing a VPN up at this point plays directly into the attackers hands, bringing the infection onto the enterprise network.

"I don't think execs are getting enough security education, and they are typically some of the worst at following operational security advice they have been given. Worse, there are many examples of exec's using their political clout to ask for IT restrictions that other employees face to be removed for themselves, without understanding the consequences. Everyone needs to understand the risk and the appropriate mitigations."