In the evolving hospitality industry landscape, where vacation rental software has transitioned from luxury to necessity, a growing concern emerges regarding cybersecurity.
This software, while primarily simplifying booking, guest interactions, and property management, stores sensitive data such as credit card information, guest preferences, and communications.
This treasure trove of data has become an attractive target for cybercriminals seeking financial gain or unauthorized access.
Of particular interest to financially motivated hackers is credit card information, accounting for a significant 41% of breaches in the hospitality sector, as reported by the Verizon Data Breach Investigations Report.
The sheer volume of transactions in this industry and integrated payment gateways make it an attractive and potentially beneficial target.
Financially Motivated Attacks
The attackers possess an intimate understanding of the software’s inner workings. These threat actors invest significant effort and resources in developing specialized tools to exploit vulnerabilities within these systems, aiming for a consistent, illicit income stream.
Large hotel networks and travel search engines have substantial resources to implement robust security measures, even though recent breaches have demonstrated their vulnerabilities.
However, smaller hotels and resorts face an even greater challenge. Developing custom software is costly and time-consuming, prompting many to opt for third-party solutions from trusted providers.
Yet, this reliance introduces a new vulnerability: the supply chain.
A recent breach targeting a small resort in the United States that had adopted the IRM Next Generation (“IRM-NG”) online booking engine, a product by Resort Data Processing, Inc.
Bitdefender Labs’ investigation uncovered a collection of vulnerabilities within this software.
Moreover, the attack was supported by tailor-made malware designed to seamlessly integrate with the software’s architecture, emphasizing the threat actor’s intricate understanding of the software’s internal workings and their capacity to exploit it for extracting sensitive information.
Despite Bitdefender Labs’ diligent efforts to report these vulnerabilities to Resort Data Processing since May 2023, their attempts to establish communication remained unanswered.
This led to allocating Common Vulnerabilities and Exposures (CVE) identifiers to the identified vulnerabilities of management software, reflecting the severity of the situation.
The attack, which commenced in the summer of 2022, used techniques to evade detection, such as timestamping, and their ability to manipulate file timestamps to obscure their activities.
The primary objective of the attack was financial gain and the illicit acquisition of personal information.
Custom Malware in Action
Although the specific threat actor group could not be definitively identified, the attack targeted an undisclosed vulnerability within the booking engine, enabling the threat actor to upload malicious files and execute them within the ASP.NET framework.
Custom tools and malware were employed throughout the attack, and signs of prior knowledge of the system were evident.
The investigation uncovered a series of tools and techniques used by the threat actor, from exploiting vulnerabilities to establishing persistence and executing malicious commands.
The attack involved the use of a minimalistic backdoor known as Micro Backdoor, which communicated through named pipes, making detection more challenging.
This allowed the threat actor to collect data and issue commands almost undetectably.
In conclusion, this incident underscores the importance of supply chain security of management software, particularly for smaller businesses that rely on third-party solutions.
The defense-in-depth architecture is recommended as the best approach to counter modern cyber threats, involving multiple layers of security measures to minimize vulnerabilities.