threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/darkhotel-apt-wynn-macao-hotels/178989/
Submission: On March 19 via api from GB — Scanned from GB
Submission: On March 19 via api from GB — Scanned from GB
Form analysis 4 forms found in the DOM
POST /darkhotel-apt-wynn-macao-hotels/178989/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/darkhotel-apt-wynn-macao-hotels/178989/#gf_5">
<div class="gform_body gform-body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_8">Your name</label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"> </div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_1">Your e-mail address<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice gchoice_5_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice gchoice_5_5_1">
<input class="gfield-choice-input" name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Email</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_5_10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button screen-reader-text" value="Subscribe"
onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" disabled="disabled"
style="display: none;"> <input type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1647669957866">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="178989" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="f3a760dfa0"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="t1ntoEN7A2S16jCVLLWXjWPLR" name="FOmWXMBOF3KIqPA8uZqmCEaE2">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="1647669957872">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
* Your name
* Your e-mail address*
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Email
This field is for validation purposes and should be left unchanged.
Δ
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Sandworm APT Hunts for ASUS Routers with Cyclops Blink BotnetPrevious article
* Agencies Warn on Satellite Hacks & GPS Jamming Affecting Airplanes, Critical
InfrastructureNext article
DARKHOTEL APT TARGETS WYNN, MACAO HOTELS TO RIP OFF GUEST DATA
Author: Becky Bracken
March 18, 2022 2:53 pm
3 minute read
Write a comment
Share this article:
*
*
A DarkHotel phishing campaign breached luxe hotel networks, including Wynn
Palace and the Grand Coloane Resort in Macao, a new report says.
An advanced persistent threat (APT) group has been targeting luxury hotels in
Macao, China with a spear-phishing campaign aimed at breaching their networks
and stealing the sensitive data of high-profile guests staying at resorts,
including the Grand Coloane Resort and Wynn Palace.
A threat research report from Trellix “cautiously” identified the South Korean
DarkHotel APT group as the culprit behind the attacks.
The researchers said the spear-phishing campaign began at the tail end of
November, with emails loaded with malicious Excel macros being sent to ranking
hotel management with access to hotel networks, including human resources and
office managers.
In one attack wave, phishing emails were sent to 17 different hotels on Dec. 7
and faked to look like they were sent from the Macao Government Tourism Office,
to gather information about who was staying at the hotels. The emails asked the
recipient to open an attached Excel file labeled “passenger inquiry.”
“Please open the attached file with enable content and specify whether the
people were staying at the hotel or not?” the malicious email read, according to
the threat researchers with Trellix. The communication was signed from the
“Inspection Division – MGTO.”
The DarkHotel attack flow. Source: Trellix.
Trellix was able to attribute the attacks to DarkHotel with a “moderate” level
of confidence due to the IP address for the command-and-control server (C2),
which was previously attached to the group; the targeting of hotels, which
DarkHotel is already infamous for; and patterns found in the C2 setup which
match known DarkHotel activities, the report said.
“However, we have lowered our confidence level to moderate because the specific
IP address remained active for quite some time even after being publicly
exposed, and the same IP address is the origin of other malicious content not
related to this specific threat,” the Trellix team said. “These two observations
have made us more cautious in our attribution.”
DARKHOTEL SUSPECTED OF STEALING DATA FOR FUTURE ATTACKS
Once opened, the macros contacted the C2 server to begin data exfiltration from
the hotel networks, the Trellix team explained.
“The command-and-control server, hxxps://fsm-gov(.)com, used to spread this
campaign was trying to impersonate a legitimate government website domain for
the Federated States of Micronesia,” Trellix’s report added. “However, the real
Micronesia website domain is ‘fsmgov.org.'”
The Trellix team said they suspected the attackers were collecting data to be
used later.
“After researching the event agenda for the targeted hotels, we did indeed find
multiple conferences that would have been of interest to the threat actor,” the
Trellix researchers reported. “For instance, one hotel was hosting an
International Environment Forum and an International Trade & Investment Fair,
both of which would attract potential espionage targets.”
The spear-phishing campaign stopped on Jan. 18, the team said.
COVID-19 STALLS CAMPAIGN
That said, the COVID-19 pandemic cancelled or delayed these events, giving law
enforcement time to catch on. By Dec. 2021, the Macao Security Force Bureau
received a notification from the Cyber Security Incident Alert and Emergency
Response Center of the police department that a domain similar to the official
Security Force page was being used to spread malware and “commit illegal acts.”
Besides targeting hotels, other campaigns attributed to the same C2 IP address,
believed to be controlled by DarkHotel, included going after MetaMask crypto
users with a spoofed Collab.Land phishing page, the Trellix report added.
DarkHotel has a long history of targeting Chinese victims. In April 2020, the
APT group went after Chinese virtual private network (VPN) service provider
SangFor, used by several Chinese government agencies. By the end of the first
week of that month, at least 200 endpoints had been compromised, according to
reports.
Around the same time, at the start of the COVID-19 pandemic, DarkHotel targeted
the systems of the World Health Organization.
Attacks like these show how attractive data stored in hotel networks can be for
threat actors. Hotel operators should recognize that cybersecurity needs to
reach beyond their networks’ edge, the Trellix team advised. Travelers likewise
need to take appropriate security precautions, Trellix added.
“Only bring the essential devices with limited data, keep security systems up to
date and make use of a VPN service when using hotel Wi-Fi,” the report said.
Moving to the cloud? Discover emerging cloud-security threats along with solid
advice for how to defend your assets with our FREE downloadable eBook, “Cloud
Security: The Forecast for 2022.” We explore organizations’ top risks and
challenges, best practices for defense, and advice for security success in such
a dynamic computing environment, including handy checklists.
Write a comment
Share this article:
* Hacks
* Web Security
SUGGESTED ARTICLES
AGENCIES WARN ON SATELLITE HACKS & GPS JAMMING AFFECTING AIRPLANES, CRITICAL
INFRASTRUCTURE
The Russian invasion of Ukraine has coincided with the jamming of airplane
navigation systems and hacks on the SATCOM networks that empower critical
infrastructure.
March 18, 2022
SANDWORM APT HUNTS FOR ASUS ROUTERS WITH CYCLOPS BLINK BOTNET
The Russian-speaking APT behind the NotPetya attacks and the Ukrainian power
grid takedown could be setting up for additional sinister attacks, researchers
said.
March 18, 2022
GOOGLE BLOWS LID OFF CONTI, DIAVOL RANSOMWARE ACCESS-BROKER OPS
Researchers have exposed the work of Exotic Lily, a full-time cybercriminal
initial-access group that uses phishing to infiltrate organizations’ networks
for further malicious activity.
March 18, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* THE UNCERTAIN FUTURE OF IT AUTOMATION
March 8, 2022
* 6 CYBER-DEFENSE STEPS TO TAKE NOW TO PROTECT YOUR COMPANY
February 25, 2022
1
* THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART II
February 24, 2022
2
* 3 TIPS FOR FACING THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART I
February 9, 2022
* ‘LONG LIVE LOG4SHELL’: CVE-2021-44228 NOT DEAD YET
February 4, 2022
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Russian APT behind the NotPetya attacks and the Ukrainian power grid takedown
could be plotting new attacks, accord… https://t.co/CTmwiAlxsZ
2 hours ago
Follow @threatpost
NEXT 00:02 01:29 360p 720p HD 1080p HD Auto (360p) About Connatix V155136 Closed
Captions About Connatix V155136
1/1 00:15 This Day in History Skip Ad Continue watching This Day in History
after the ad Visit Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE
Notifications