What Happened: 
The recent Marriott breach involved the theft of employee credentials. Specifically, attackers obtained the login credentials for two franchise property employees which gave them access to a third party guest application used to deliver guest services. From there, attackers were able to harvest guest information needed to execute spear-phishing campaigns: Full contact details were exposed, including names, mailing addresses, email addresses and phone numbers as well as other personal data like company, gender and birthdays.

Key Observations:
Based on known attacker patterns (as well as what transpired in the prior Marriott breach), the next step in the attack would be a convincing spear phishing campaign on the compromised guests. The goal of the campaign would be to gain access or deliver malware into a guest / victim’s business device. From there, attackers would use the access to create a backdoor into the victim’s company network by (1) finding the administrator accounts that have standing access to the victim’s workstation (e.g., IT admins, helpdesk) and (2) using Mimikatz to dump the password or password hash of those accounts to pivot into other systems on the company network that account might have access to. Click here to read more >