The Trustwave SpiderLabs team conducted a multi-month investigation into the cyber threats facing the hospitality industry worldwide and has released a detailed report displaying how threat actors conduct attacks, the methodologies used, and what organizations can do to protect themselves from specific types of attacks.
The report, 2023 Hospitality Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies, takes a four-step approach to break down threat actor trends and techniques. In each case, the threat is analyzed, there is a discussion on how it can affect an organization, Trustwave SpiderLabs’ insights are revealed, and mitigations to reduce the threat are introduced.
“In an industry where guest satisfaction and reputation are paramount, staying secure while offering cutting-edge technology is a delicate balancing act,” said Trustwave CISO Kory Daniels. “Our latest threat briefing is a valuable resource for security leaders within the hospitality sector, providing a comprehensive view of the threats observed by our SpiderLabs team, along with specific mitigation strategies to bolster defenses.”
The Hospitality Sector Under Attack
Nearly 31% of hospitality organizations have reported a data breach in their company’s history, of which 89% have been affected more than once in a year, according to a report by Cornell University and FreedomPay. While the average cost of a hospitality breach ($3.4M) is lower than the cross-industry average ($4.4M), the impact on reputation can cause significant harm to the bottom line due to the highly competitive nature of the industry.
The hospitality sector handles a huge store of data, much of which is highly prized by attackers, such as personally identifiable information and payment card data.
This lucrative target is also difficult to defend as hospitality entities must deal with high turnover when it comes to employees and customers, technology that is designed to make interactions easier, but is often easily accessible to criminals, and third-party suppliers, which may or may not have the proper cybersecurity in place.
Threat Groups and Methodologies
The Trustwave SpiderLabs report analyzes threat groups targeting the hospitality sector and their methods throughout the attack cycle, from initial foothold through to exfiltration.
A few key findings from the report include:
- SpiderLabs noted that the MOVEit RCE (CVE-2023-34362) vulnerability was one of the top exploits threat actors used to target hospitality clients. An analysis of 150+ victims within the hospitality sector showed a significant surge in Clop ransomware attacks due to this MOVEit zero-day vulnerability.
- HTML attachments make up 50% of the file types being used for email-borne malware attachments. HTML file attachments are being used in phishing as a redirector to facilitate credential theft and for delivering malware through HTML Smuggling.
- Obtaining credential access, primarily by using brute force attacks, was behind 26% of all reported incidents. This tactic has threat actors leveraging valid accounts to compromise systems by simply logging in using weak passwords that are vulnerable to password guessing.
Helping Understand the Threat
The 2023 Hospitality Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies is designed to inform security teams of the present danger, but it also explores and dissects new technologies threat actors are implementing.
The report notes how artificial intelligence and generative AI are powerful tools increasingly used by the hospitality sector to improve the guest experience with services like chatbots or language translation, opening the industry up to unique implications and risks.
In the same vein, contactless technology like table payments and smartphone-card reader integrations offer a seamless experience to businesses and customers alike but also present threat actors with a way to access an organization’s system directly.
An increasing reliance on third-party vendors for services, such as HVAC, vending machines, and point-of-sale (PoS) systems, creates additional risk as more vendors have access to sensitive data or systems.
Security Challenges Distinctive to the Hospitality Industry
As with all industries, employing basic cybersecurity hygiene practices, strong passwords, and up-to-date patching programs, along with having a security-centric mindset and habits, remain necessary.
However, SpiderLabs found many cybersecurity challenges unique to the hospitality industry that also need to be addressed.
Here are a couple included in the report, along with how to boost safety.
Challenge: Hospitality is seasonal, and this means dealing with seasonal and less security-conscious staff hired during peak periods to meet demand. This seasonality presents a distinct risk of insider threat, intentional or not, due to the challenge of providing consistent security training to a continually changing group of employees.
Mitigation: SpiderLabs found the majority of hospitality attacks start with a phishing email that often deploys Qakbot and Emotet malware. This initial attack vector should come as no surprise after noting the industry is often staffed by newcomers. This means organizations should:
- Regularly perform simulated phishing assessments to evaluate the efficiency of anti-phishing training and provide retraining for individuals who repeatedly fall victim.
- Enforce strong anti-spoofing protocols involving deploying cutting-edge technologies within email gateways.
- Employ a multi-tiered approach to email scanning, utilizing a solution such as Trustwave MailMarshal to enhance the accuracy and efficacy of both detection and protective measures.
- Employ methodologies aimed at identifying domain misspellings, thereby facilitating the recognition of phishing attempts and Business Email Compromise (BEC) attacks.
In addition to having a steady stream of new workers, hospitality establishments encounter a fresh set of customers virtually every day, which pushes network capabilities to their limit.
Given the substantial volume of new network users, whether they’re hotel guests or individuals connecting to coffee shop Wi-Fi, organizations within hospitality must operate under the assumption their networks are highly susceptible to attacks due to the sheer number of users. This leads to hesitancies to deploy patches and configuration changes that might have an adverse impact on day-to-day operations.
Additionally, unlike conventional office buildings where employee access is typically controlled through access cards, hospitality establishments face cybersecurity risks due to the accessibility of hardware by guests. For instance, the server closet in a hotel could be left unlocked and easily accessible, or a thumb drive could easily be inserted into a nearby device.
Challenge: Additional security issues include the increased use of contactless technologies that hospitality organizations have brought on board to handle everything from room entry to dining room payments. These points of contact along with kiosks, digital billboards, electronic gaming devices, online reservation systems, smart TVs, tablets, online menus, and mobile POS devices, all combine to create a vast attack surface.
Attackers can access these through malware inserted into the system and based on our research, a threat actor does not need to be in the hotel premises to attack hotel devices and systems. Trustwave SpiderLabs has seen a multitude of exposed ports, services, and applications from hospitality organizations that are publicly available on the Internet. Prevalent ones are network devices, property management systems, backup power controllers, power distribution systems, phone systems, smart energy management systems, and IP cameras.
Mitigations:
- Employ vulnerability assessments and penetration testing to pinpoint susceptible devices and servers.
- Elevate the priority of system and software patching for databases containing customer, employee, and payment information.
- Enforce the placement of all servers and devices within the confines of a firewall and adhere to sound network segmentation practices to fortify access control measures.
- Deactivate Internet connectivity for servers and devices that do not necessitate online access.
- Reinforce access controls, setting them to the minimum essential levels for authorized users.
- Expeditiously apply patches to critical, vulnerable systems.
Looking Down the Road
Although the hospitality industry isn’t alone in facing an elevated threat landscape, the consequences of attacks in this sector can be critical. One key aspect to note is that the nature and scale of the hospitality industry creates an environment that is inherently conducive and appealing to threat actors.
It is highly unlikely that attacks targeting hospitality organizations will subside or slow down. While the technical aspects of these attacks may change over time, the underlying tactics will likely remain consistent. Traditional methods such as phishing, exploiting known vulnerabilities, and compromising third-party vendors continue to pose significant threats.