SiliconANGLE reported on 11 November about a massive Singapore hotel cyber-attack that occurred in September 2020. The hack was announced by the victim, Singapore-based RedDoorz, on 28 September, but obviously, the hack happened well before this date.

It is not yet clear, however, precisely when the hack happened, or when the victims discovered it, or who did it. Tech Nadu says the data was offered on the dark web by “ExpertData,” however, which might have been the hacker.

RedDoorz is a management and booking hotel company with over 1,000 properties throughout Southeast Asia. Its legal name in Singapore is Commeasure Pte. Ltd, says SiliconANGLE. The company’s website describes RedDoorz as “Southeast Asia’s largest and fastest-growing, technology-driven hotel management and booking platform.” The company says it offers budget hotel prices with clean, fresh rooms with free basic amenities such as WI-FI, mineral water, and TV.

The company relies heavily on technology to, as it says, “help partners manage distribution, pricing, marketing, customer experience, and technology solutions – offering an end-to-end platform powered by advanced technology infrastructure.”

Unlike physical hotel attacks where the tactics used are usually obvious, cyber-attack tactics can remain hidden, sometimes for years. This is so for three reasons:

1. Many hotel companies do not know they have been hacked.
2. Once a hack has been discovered, many hotel companies do not want to advertise their vulnerabilities and more widely expose themselves to additional brand damage.
3. Hotel companies do not want to suffer cyber-attack-based lawsuits. (See the Marriott-Starwood hack for more information).

International laws on reporting cyber-attacks to government authorities, on the other hand, are beginning to quell these behaviors.

As of November 2020, experts can only hypothesize about the attack tactics used against RedDoorz.

Experts quoted by SiliconANGLE (Chris Clements, VP of Solutions Architecture at Cerberus Sentinel) assume the hackers were able to exploit an “insecure configuration or storage of the database,” or they instituted a “SQL injection” (Structured Query Language database). The latter involves code injection – introducing malicious code into a vulnerable computer program – and is one of today’s most common web hacking tactics. And SQL is one of the most common database languages in the world. Governments (the US Department of Defense, for example), and businesses (Microsoft, for example), use it.

SiliconANGLE says a SQL injection can exploit vulnerabilities when developers do not apply “security best practices” when configuring a database.

The RedDoorz hackers stole 5.8 million customer records that contained “members’ email, bcrypt hashed passwords* full name, gender, link to profile photo, phone number, secondary phone number, date of birth, and occupation.”

*In general terms, bcrypt converts passwords into gibberish letters, numbers, and symbols, thereby camouflaging passwords from hackers who have broken into password managers.

The hackers then offered the data for sale on the dark web. RedDoorz was adamant about customers’ passwords and credit card numbers not being stolen.

Lawrence Abrams at Bleeping Computer says the hackers showed a sample of the hacked data online to prove they had the data. This included records for 587 users, including their emails and the database structure, which was a basic table.

Even though financial information was not included in this breach, hackers can use the RedDoorz information to launch other attacks, such as targeted phishing and pharming, says Tripwire.com. And with the right amount of hacking talent, technology, and time, bcrypt passwords can be converted into readable passwords, says Wired.com.

E27.co quoted a RedDoorz spokesperson saying of the hack: “We are taking all the necessary steps to investigate this further and at the same time we are conducting a thorough review of all our IT systems and protection. Data privacy is something we take very seriously at RedDoorz, and we have implemented the necessary security measures to ensure all our customers’ personal data remains secured.”

The Singapore police and its National Personal Data Protection Commission are investigating.

Takeaways

First, hotel companies need to ensure their programmers are using correct configurations that help prevent malicious code injections when building databases from the outstart. Anti-hacking checklists, continuing education on the latest programming best practices for SQL and other languages, and hotel cyber-attack threat intelligence, such as statistics and case studies, are key drivers in protection. Muir Analytics has begun to add a considerable number of hotel hacks to its SecureHotel Threat Portal repository and is beginning early-stage intelligence processing on these cases.

Second, Lawrence Abrams says the hacking victims should change their RedDoorz passwords, and that if they used those passwords at other sites, they should change those as well.

Third, since hackers can use the stolen data to create refined and targeted phishing, pharming attacks, and spoofing against specific individuals and the companies they work for, the hacking victims should pay close attention to all online activities and confirm that they are interfacing with legitimate websites – even well-known ones.

Fourth, Peter Daniel of Future Integrated Systems says hotel companies should also protect their login pages, which is a common weak point hackers typically exploit. “Login has to be protected from malicious SQL injection attacks as well,” he says. “It’s not only about safe database configuration.”

Fifth, “Once a database is created,” says Daniel, “they need to be tested for vulnerabilities. And there’s two ways, generally, that this happens. One is to use a set of programming tools that one can use to test a database and look for vulnerabilities in it. Once these vulnerabilities have been identified, a lot of these programs will tell you how to fix the problem.”

“And then there’s the more expensive testing route,” says Daniel, “which is to hire a company to actually try to hack your database and look for vulnerabilities that might have been missed.”

In light of the multitude of cyber-attacks against hotel companies, large and small, all over the world, these takeaways should be part of a standard operating procedure for hospitality cyber defense. And they should continually adapt to hackers’ ever-increasing creativity and penetrative capabilities.

Sources and further reading

“Cyble is accused of extorting data breach victims, but the company flatly denies it,” Tech Nadu, 19 November 2020.

“5.8M records from hotel company RedDoorz offered for sale on the dark web,” SiliconANGLE, 11 November 2020.

“5.8 million RedDoorz user records for sale on hacking forum,” Bleeping Computer, 10 November 2020.

“6 Common phishing attacks and how to protect against them,” Tripwire.com, 20 October 2020.

“Data breach: ShopBack, RedDoorz say sensitive consumer data not compromised,” E27.co, 28 September 2020.

“The Under Armour hack was even worse than it had to be,” Wired.com, 30 March 2018.

RedDoorz hotel website.

Future Integrated Systems website.

Copyright © Muir Analytics 2020