RevengeHosts: Cybercrime Targeting Hotel Front Desks Worldwide (Nov 28, 2019)
A cybercrime campaign by the name of “RevengeHotels” has been targeting hospitality and tourism companies, hotels and hostels with the majority of the operations focusing on Brazil. Other targets include Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The threat actors involved have used well worded emails attached with Word, Excel or PDFfiles. There has been samples of the campaign using the zero-day exploit “CVE-2017-0199” which allows for malicious VB scripts to be run on a user's system. The focus of the campaign for its operators is to collect credit card data from guests and travellers using these hotels or hostels. This is done by infecting front desk machines of these hotels or hostels to capture the credentials from unpatched administration software being used. In some cases, threat actors will sell these credentials to allow other actors remote access to these systems to carry out their own malicious campaigns.
Recommendation: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a spearphishing attack and receive potentially malicious attachments.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.