Report: Contactless Technology Among Big Cyber Risks for Hospitality Industry

Image by BiljaST via Pixabay

Unlike conventional office buildings where employee access is typically controlled through access control cards, hospitality establishments face a bevy of cybersecurity risks due to the accessibility of hardware by guests, according to a recent report by Trustwave.

For instance, the server closet in a hotel could be left unlocked and easily accessible or a thumb drive could easily be inserted into a nearby device. According to the report, artificial intelligence (AI), contactless technology and third-party exposures all pose risks to the industry.

Obtaining credential access, primarily by using brute force attacks, was behind 26 percent of all reported incidents. This tactic has threat actors leveraging valid accounts to compromise systems by simply logging in using weak passwords that are vulnerable to password guessing.

According to the report, the MOVEit RCE (CVE-2023-34362) vulnerability is one of the top exploits threat actors use to target hospitality clients. Analysis shows a significant surge in Clop ransomware attacks due to this MOVEit zero-day vulnerability. HTML attachments make up 50 percent% of the file types being used for email-borne malware attachments. HTML file attachments are being used in phishing as a redirector to facilitate credential theft and for delivering malware through HTML smuggling.

Given the substantial volume of network users, whether they are hotel guests or individuals connecting to coffee shop Wi-Fi, organizations within hospitality must operate under the assumption their networks are highly susceptible to attacks due to the sheer number of users. This leads to hesitancies to deploy patches and configuration changes that might have an adverse impact on day-to-day operations.

Top threat actors:

LockBit
Medusa
Vice Society
BianLian
BlackBasta
Qillin, Royal
Karakurt
Ragnar

Top threat tactics:

Email-borne malware (Emotet, Qakbot)
Phishing (IPFS, image based, brand impersonation)
Scams (fake order scams, extortion scams)
BEC (e.g., payroll diversion)
Malware
Credential access (brute forcing, auctioned accounts)
Vulnerability exploitation

To download the full report, go here.

PSA Security Network is one of the nation’s leading sources for education, training, and industry networking events. With multiple settings and events throughout the year to meet and exchange industry knowledge, there is something for everyone.

The Electronic Security Expo, owned by ESA, is designed to help electronic security pros to network with other like-minded professionals and to educate about improving your company’s efficiency and productivity