Bitdefender warns hospitality industry of attacks on IRM-NG booking engine

September 8, 2023

Caption: The hackers’ procedure: 1. the content of the webshell is uploaded to the database record. 2. a new record is created with instructions for the file upload service. 3. the service stores the contents of a cell in a library in the System32 folder. (Image source: Bitdefender)

Vulnerability remains unsecured – cybercriminals steal credit card details, passwords and customers’ personal data

Bitdefender has published recent research findings from a campaign currently underway by cybercriminals targeting the IRM-NG booking platform used in the hospitality industry. The attackers are using vulnerabilities in the platform in combination with backdoors and techniques to bypass password validation on the endpoint device to steal customers’ credit card information, passwords and personal data. Bitdefender has not received a response from vendor Resort Data Processing (RDP) to its advisories for months. The vulnerability continues to exist.

Bitdefender was able to trace the attacks back to the summer of 2022 and attribute them to a specific group. The group’s custom attack consists of several modules designed to blend in with legitimate software and operate unobtrusively. The malware and other tools indicate that the group knows the internal workings of IRM-NG very well and that this is probably not the first operation they have launched against this software.

Attackers can generate passwords themselves

The IRM-NG engine allows employees of the vendor RDP to log in to their customers’ clients via a special administrator account – with password validation taking place on the end device and not on the vendor’s servers. The password validation algorithm is located in the Dynamic Link Library (DLL) and is weak, according to Bitdefender experts. Attackers can use this vulnerability to generate the daily password themselves and successfully log into any account of the client company.

Vulnerability remains unsecured

Bitdefender has sought contact with RDS for months, including via email, Twitter, LinkedIn and an official bug bounty program, but has received no response. As a result, the vulnerability remains unsecured and users remain vulnerable. As a result, Bitdefender advises hospitality organizations using IRM-NG to exercise increased vigilance and review the IOCs from the research presented by Bitdefender. Defenses against modern attacks such as this should include a “defense-in-depth” architecture that includes threat prevention, detection and response through solutions such as XDR/EDR or managed security services such as MDR.

Related Articles

Smart Cities market predicted to top $1,100 billion by 2028

Smart Cities market predicted to top $1,100 billion by 2028

The adoption of smart cities has witnessed a remarkable surge in recent years, driven by advancements in technology, growing urbanisation, and increasing recognition of the benefits of smart solutions.  This market is, according to the latest research from...

One year of Cell Broadcast in Baden-Württemberg

One year of Cell Broadcast in Baden-Württemberg

Minister Thomas Strobl: "The last 12 months have shown that cell broadcasting enables us to reach a large number of people quickly and easily in an emergency" "In the event of imminent danger or damage, it is crucial that we warn the population and give people...

Share This