Hackers Exploit Multiple Bugs in Hotel Booking PlatformFinancially Motivated Hackers Deploy Custom Malware
Financially motivated hackers developed custom malware to exploit a likely zero-day flaw in popular property management software used by resorts and hotels, said security researchers.
In research published Thursday morning, Bitdefender said it had not identified the threat actor behind a hacking incident at a small resort in the United States that it analyzed. But it said it could confirm that the attacker primary's objective was financial gain and the illicit acquisition of personal information.
Hackers target the hospitality industry with regularity, given the massive amounts of personal and payment data inside the sector's digital systems. Verizon's most recent data breach report estimates that hackers target payment card data in 4 in 10 cyber incidents involving the accommodation and food service industry.
Bitdefender said the attack it examined was likely part of a larger, coordinated effort, given similar web shell infections among several other victims who used the same booking engine. The software in question is made by Colorado-based Resort Data Processing, developer of the IRM Next Generation online booking engine. The cybersecurity firm said it had repeatedly attempted to contact the company, including through an official bug county program, but received no response. Information Security Media Group also could not immediately reach the company. In 2021, hackers breached the booking engine to siphon payment card and personal information including names, addresses and phone numbers.
The attacks, especially if the most recent wave of hackers used their custom malware and apparently deep knowledge of IRM Next Generation, highlight the supply chain problem underlying almost every industry. Companies with few resources available for information technology depend on third-party providers - and hope they haven't simultaneously invited in hackers. For smaller enterprises, "focusing on the security maturity of their supply chain becomes paramount. It's essential to recognize that opting for seemingly more affordable solutions can sometimes lead to unforeseen, substantial expenses due to security breaches or vulnerabilities," Bitdefender warned.
Attackers went "beyond conventional attack methods," the company said, and noted the presence of "custom malware designed to seamlessly integrate with legitimate network traffic, facilitating the covert exfiltration of sensitive data."
Hackers likely initiated this latest attack in the summer of 2022 using an uncertain initial attack vector. "We hold a strong conviction that it was connected to an undisclosed vulnerability within the booking engine," said Bitdefender.
Among the flaws that the attackers exploited were the presence of hard-coded credentials in the booking software and improper sanitization of inputs that permit SQL injection.
The initial compromise involved uploading a css file containing a web shell code. The IRM-NG file-uploading API allows css files. Attackers used an "undisclosed vulnerability" to change the extension of the file to
.aspx, an extension for a server-side scripting language - thus enabling the web shell. Hackers quickly deployed their custom tool, developed to run queries in the software's Pervasive PASQL relational database system. Access to that system is not protected by a password.
"Significantly, this specialized tool was put into action within a mere 18 minutes after the initial breach. This strongly suggests that the threat actor possessed previous knowledge of the system," Bitdefender wrote.
The heart of the campaign consisted of executing a batch file to deploy malicious components including a
web.config file that allowed hackers to inject a malware called XModule. The malware integrated into the flow of the booking engine, intercepting traffic. Hackers also used MicroBackdoor for persistence. Anytime hackers wanted to extract data or send commands, they would send a request to the compromised web server. XModule would intercept the request and process it. "This is an almost undetectable method of communication," Bitdefender said.