Hackers Using Hotel Wi-Fi to Spy on Guests

This week, the Alert Logic highlights TrickBot Targeting HSBC and how Hackers are Using Hotel Wi-Fi to Spy on Guests. Read the full report to learn more and get access to the week’s Top Malicious IP addresses.

Malware

Hackers are Using Hotel Wi-Fi to Spy on Guests

The DarkHotel hacking group has returned, but this time they're focusing on a different target, using a new strain of Inexsmar malware. The so-called 'DarkHotel' group has been active for over a decade, with a signature brand of cybercrime that targets business travelers with malware attacks, using the Wi-Fi in luxury hotels across the globe.

The actors behind DarkHotel have changed tactics again, using a new form of malware known as Inexsmar to attack political targets. Researchers have linked the Inexsmar campaign to DarkHotel because of similarities with payloads delivered by previous campaigns.

References: Hackers are Attacking Wi-Fi of Hotel with a Particular Evil Malware | DarkHotel Perfects a New Attack Gambit for Political Targets | DarkHotel Hackers are Going After Political Targets Instead of CEOs with New Inexsmar Malware

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition.
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • E-Mail filtration would scan incoming files and hyperlinks of any malicious links or code.
  • Log management could detect any suspicious user account activity

Breach

TrickBot Targeting HSBC

HSBC, a British–Hong Kong multinational banking and financial services holding company, is the aim of a malspam campaign spreading a TrickBot banking Trojan. An email with the subject of “Account secure documents” is pretending to come from HSBC but is actually coming from a look alike domain.

Malicious actors are sending these spoof emails from various registered domains that look like genuine bank domains. The emails have subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening. The email attachment contains either a macro script or an embedded OLE object that will infect your device.

References: Spoofed HSBC Account Secure Documents Malspam Delivers Trickbot | TrickBot Focuses on Wealth Management Services from Its Dyre Core

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition.
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • E-Mail filtration would scan incoming files and hyperlinks of any malicious links or code.
  • Log management could detect any suspicious user account activity.
  • Web filtration to prevent users from clicking on malicious websites.

This Week's Suspicious IP Addresses

60.10.253.62 218.65.30.251
208.105.123.108 24.41.255.142
199.36.196.28 96.234.33.32

*IP addresses provided by Recorded Future.