Thursday, February 6, 2025
HomeCyber Security NewsHackers Exploit Zero-Day Flaw in Software Used by Resorts and Hotels

Hackers Exploit Zero-Day Flaw in Software Used by Resorts and Hotels

Published on

SIEM as a Service

Follow Us on Google News

In the evolving hospitality industry landscape, where vacation rental software has transitioned from luxury to necessity, a growing concern emerges regarding cybersecurity. 

This software, while primarily simplifying booking, guest interactions, and property management, stores sensitive data such as credit card information, guest preferences, and communications. 

This treasure trove of data has become an attractive target for cybercriminals seeking financial gain or unauthorized access.

Of particular interest to financially motivated hackers is credit card information, accounting for a significant 41% of breaches in the hospitality sector, as reported by the Verizon Data Breach Investigations Report. 

The sheer volume of transactions in this industry and integrated payment gateways make it an attractive and potentially beneficial target.

Financially Motivated Attacks

The attackers possess an intimate understanding of the software’s inner workings. These threat actors invest significant effort and resources in developing specialized tools to exploit vulnerabilities within these systems, aiming for a consistent, illicit income stream.

Large hotel networks and travel search engines have substantial resources to implement robust security measures, even though recent breaches have demonstrated their vulnerabilities. 

However, smaller hotels and resorts face an even greater challenge. Developing custom software is costly and time-consuming, prompting many to opt for third-party solutions from trusted providers. 

Yet, this reliance introduces a new vulnerability: the supply chain.

 A recent breach targeting a small resort in the United States that had adopted the IRM Next Generation (“IRM-NG”) online booking engine, a product by Resort Data Processing, Inc. 

Bitdefender Labs’ investigation uncovered a collection of vulnerabilities within this software. 

Moreover, the attack was supported by tailor-made malware designed to seamlessly integrate with the software’s architecture, emphasizing the threat actor’s intricate understanding of the software’s internal workings and their capacity to exploit it for extracting sensitive information.

Despite Bitdefender Labs’ diligent efforts to report these vulnerabilities to Resort Data Processing since May 2023, their attempts to establish communication remained unanswered. 

This led to allocating Common Vulnerabilities and Exposures (CVE) identifiers to the identified vulnerabilities of management software, reflecting the severity of the situation.

The attack, which commenced in the summer of 2022, used techniques to evade detection, such as timestamping, and their ability to manipulate file timestamps to obscure their activities.

The primary objective of the attack was financial gain and the illicit acquisition of personal information.

Custom Malware in Action

Although the specific threat actor group could not be definitively identified, the attack targeted an undisclosed vulnerability within the booking engine, enabling the threat actor to upload malicious files and execute them within the ASP.NET framework. 

Custom tools and malware were employed throughout the attack, and signs of prior knowledge of the system were evident.

The investigation uncovered a series of tools and techniques used by the threat actor, from exploiting vulnerabilities to establishing persistence and executing malicious commands. 

The attack involved the use of a minimalistic backdoor known as Micro Backdoor, which communicated through named pipes, making detection more challenging. 

This allowed the threat actor to collect data and issue commands almost undetectably.

In conclusion, this incident underscores the importance of supply chain security of management software, particularly for smaller businesses that rely on third-party solutions. 

The defense-in-depth architecture is recommended as the best approach to counter modern cyber threats, involving multiple layers of security measures to minimize vulnerabilities. 

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...