Trustwave exposes cybersecurity risks in hospitality sector
Sat 9 Sep 2023
Cybersecurity services provider Trustwave has released comprehensive research shedding light on the distinctive cybersecurity risks encountered by the hospitality sector.
The Hospitality Sector Threat Landscape report explored the specific threats and risks that hospitality organisations face, along with practical insights and mitigations to strengthen their defenses.
In its new research, Trustwave SpiderLabs documented the attack flow utilised by threat groups, exposing their tactics, techniques, and procedures. From brute forcing, to exploiting known vulnerabilities and attacking exposed open ports, these persistent threats pose significant risks to the hospitality industry.
Spanning from hotels, to restaurants, to cruise ships, the hospitality sector has become deeply woven into the everyday routines of millions of people, making its cybersecurity threat landscape especially vast, complex, and critical.
Nearly 31% of hospitality organisations have reported a data breach in their company’s history, of which 89% have been affected more than once in a year, according to a report by Cornell University and FreedomPay.
While the average cost of a hospitality breach ($3.4 million) is lower than the cross-industry average ($4.4 million), the impact on reputation can cause significant harm to the bottom line due to the highly competitive nature of the industry.
“With unique considerations, such as the adoption of contactless technology and the steady turnover of customers and employees, the hospitality industry faces a complex security landscape with distinct challenges. In an industry where guest satisfaction and reputation are paramount, staying secure while offering cutting-edge technology is a delicate balancing act,” said Kory Daniels, Chief Information Security Officer at Trustwave.
The report analysed threat groups and their methods throughout the attack cycle, from initial foothold through to exfiltration. Key findings from the report include:
- MOVEit RCE (i.e. CVE-2023-34362) vulnerability is one of the top exploits threat actors use to target hospitality clients. Analysis of more than 150 victims within the hospitality sector shows a significant surge in Clop ransomware attacks due to this MOVEit zero-day vulnerability.
- HTML attachments make up 50% of the file types being used for email-borne malware attachments. HTML file attachments are being used in phishing as a redirector to facilitate credential theft and for delivering malware through HTML Smuggling.
- Obtaining credential access, primarily by using brute force attacks, was behind 26% of all reported incidents. This tactic has threat actors leveraging valid accounts to compromise systems by simply logging in using weak passwords that are vulnerable to password guessing.
Technology trends in the hospitality industry
The report also explored emerging and prominent trends in the hospitality industry, including generative AI, contactless technology, and third-party risk.
Generative AI is a powerful tool that is being increasingly used by the hospitality sector to improve the guest experience with services like chatbots or language translation, opening the industry up to unique implications and risks.
Newer features like contactless table payments and smartphone-card reader integrations offer a seamless experience to businesses and customers alike, but also introduce new vectors of attack.
An increasing reliance on third-party vendors for services, such as HVAC, vending machines, and point-of-sale (PoS) systems, creates additional risk as more vendors have access to sensitive data or systems.
Cybersecurity challenges in the hospitality industry
Cybersecurity challenges unique to the hospitality industry include seasonal and less sophisticated workforces, constant user turnover, dirty networks, physical security concerns, and the franchise model.
The hospitality sector employs a diverse workforce, with seasonal and less sophisticated staff often engaged during peak periods to meet demand. This presents a distinct risk of insider threat, intentional or not, due to the challenge of providing consistent security training to a continually changing group of employees.
Hospitality establishments encounter a fresh set of users virtually every day. This ongoing cycle demands consistent uptime, addresses bandwidth constraints, and strives to minimise potential exposure to security threats.
Given the substantial volume of network users, whether they’re hotel guests or individuals connecting to coffee shop WiFi, organisations within hospitality must operate under the assumption their networks are highly susceptible to attacks due to the sheer number of users. This leads to hesitancies to deploy patches and configuration changes that might have an adverse impact on day-to-day operations.
Unlike conventional office buildings where employee access is typically controlled through access cards, hospitality establishments face cybersecurity risks due to the accessibility of hardware by guests. For instance, the server closet in a hotel could be left unlocked and easily accessible or a thumb drive could easily be inserted into a nearby device.
The franchise framework leads to disparities in policy consistency and implementation across the industry, including cybersecurity measures. Different franchisers and franchisees adopt varied business models, resulting in divergent cybersecurity practices.
Prevalent threats and tactics
Threat actors operating across hospitality include LockBit, Medusa, Vice Society, BianLian, BlackBasta, Qillin, Karakurt, Ragnar.
Threat tactics affecting the hospitality sector include, email-borne malware (Emotet, Qakbot), phishing (IPFS, image based, brand impersonation), scams (fake order scams, extortion scams), BEC (payroll diversion), malware, credential access (brute forcing, auctioned accounts), vulnerability exploitation.
Hungry for more tech news?
Sign up for your weekly tech briefings!