APT28 Uses Spear Phishing and NSA EternalBlue Exploit To Attack Hotel Wi-Fi


Russian APT28 (aka the Fancy Bear hacking group) is harnessing EternalBlue; NSA's Windows SMB exploit which made the WannaCry ransomware and Petya so effective — and are using it to spread laterally in cyber attacks against hotels in Europe. Wait for the same thing to happen in the U.S. (By the way, did you apply the MS17-010 patch yet?)

Researchers at FireEye posted that they uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July. Successful execution of the macro within the malicious document results in the installation of APT28’s signature GAMEFISH malware.

As soon as GameFish is successfully installed, it takes advantage of EternalBlue to worm its way into the network and compromises personal computers used for controlling both guest and and internal Wi-Fi networks. Once in control of these machines, the malware deploys an open source Responder tool, allowing it to steal any credentials sent over the wireless network.

"This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version," Cristiana Brafman Kittner, senior analyst at FireEye, told ZDNet. FireEye warns that publicly accessible Wi-Fi networks present a significant threat and "should be avoided when possible".

With the public release of the EternalBlue exploit, it's not surprising that hacking groups are looking to harness that and other Vault7 leaks for their own gain. It's an epic fail that the American intelligence community lost control of this toolkit and let the genie out of the box.


For C-level execs that need to do a lot of travel, I recommend an iPad Pro, with its own cell-phone number, and use VPN to connect to any remote servers. I would tell them to avoid Wi-Fi on the road all together. Also, never run any software updates while traveling. I have successfully used this setup for a few years now.

Phish Your Users With Office Document Attachments That Have Macros

It's a must these days to send all employees simulated phishing attacks with Office attachments that have macros and see if they open that document and click on "Enable Editing". If they do, that means a social engineering failure and they need to get some remedial training immediately. Also, give them access to the KnowBe4 free Phish Alert Button so that they can forward phishy emails to your Incident Response team.

Free Phish Alert Button

When new spear phishing campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against cybercrime is to roll out KnowBe4's free Phish Alert Button to your employees' desktops. Once installed, the Phish Alert Button allows your users on the front lines to sound the alarm when suspicious and potentially dangerous phishing emails slip past the other layers of protection your organization relies on to keep the bad guys at bay.

Get Your Phish Alert Button

Don't like to click on redirected links? Cut & Paste this link in your browser:


Topics: Spear Phishing

Subscribe To Our Blog

Cybersecurity Awareness Month 2021 Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews