Caption: The hackers’ procedure: 1. the content of the webshell is uploaded to the database record. 2. a new record is created with instructions for the file upload service. 3. the service stores the contents of a cell in a library in the System32 folder. (Image source: Bitdefender)
Vulnerability remains unsecured – cybercriminals steal credit card details, passwords and customers’ personal data
Bitdefender has published recent research findings from a campaign currently underway by cybercriminals targeting the IRM-NG booking platform used in the hospitality industry. The attackers are using vulnerabilities in the platform in combination with backdoors and techniques to bypass password validation on the endpoint device to steal customers’ credit card information, passwords and personal data. Bitdefender has not received a response from vendor Resort Data Processing (RDP) to its advisories for months. The vulnerability continues to exist.
Bitdefender was able to trace the attacks back to the summer of 2022 and attribute them to a specific group. The group’s custom attack consists of several modules designed to blend in with legitimate software and operate unobtrusively. The malware and other tools indicate that the group knows the internal workings of IRM-NG very well and that this is probably not the first operation they have launched against this software.
Attackers can generate passwords themselves
The IRM-NG engine allows employees of the vendor RDP to log in to their customers’ clients via a special administrator account – with password validation taking place on the end device and not on the vendor’s servers. The password validation algorithm is located in the Dynamic Link Library (DLL) and is weak, according to Bitdefender experts. Attackers can use this vulnerability to generate the daily password themselves and successfully log into any account of the client company.
Vulnerability remains unsecured
Bitdefender has sought contact with RDS for months, including via email, Twitter, LinkedIn and an official bug bounty program, but has received no response. As a result, the vulnerability remains unsecured and users remain vulnerable. As a result, Bitdefender advises hospitality organizations using IRM-NG to exercise increased vigilance and review the IOCs from the research presented by Bitdefender. Defenses against modern attacks such as this should include a “defense-in-depth” architecture that includes threat prevention, detection and response through solutions such as XDR/EDR or managed security services such as MDR.
