Ethical Hacking News
Russian state hackers APT28 used a novel technique called "nearest neighbor attack" to breach a US firm's enterprise WiFi network while being thousands of miles away. The attack highlights the importance of treating WiFi corporate networks with the same care as any other remote access service, emphasizing the need for MFA and awareness of one's surroundings in preventing such attacks.
The "nearest neighbor attack" was used by Russian state hackers (APT28 or Fancy Bear/Forest Blizzard/Sofacy) to breach a US firm's enterprise WiFi network while being thousands of miles away. APT28 compromised multiple organizations as part of the attack, using valid access credentials and exploiting proximity-based vulnerabilities. The hackers used a technique called "daisy-chaining" to move laterally on the target network, searching for systems of interest and exfiltrating data. The attackers relied on native Windows tools to keep their footprint minimal while collecting data. Further investigation revealed that APT28 was actively targeting Organization A to collect data from individuals with expertise on Ukraine-related projects. The attack highlights the complexity of modern cybersecurity threats and the importance of treating WiFi corporate networks with equal care as remote access services.
Hackers have been leaving no stone unturned in their pursuit of exploiting vulnerabilities in the digital world. A recent attack, dubbed the "nearest neighbor attack," has brought attention to a novel technique used by Russian state hackers, known as APT28 or Fancy Bear/Forest Blizzard/Sofacy, to breach a US firm's enterprise WiFi network while being thousands of miles away.
The attack was discovered on February 4, 2022, when cybersecurity company Volexity detected a server compromise at a customer site in Washington, DC that was doing Ukrainian-related work. This marked the beginning of an investigation into the attack vector used by APT28 to breach the target firm's network. The hackers, tracked as GruesomeLarch, initially obtained the credentials to the target's enterprise WiFi network through password-spraying attacks targeting a victim's public-facing service.
However, the presence of multi-factor authentication (MFA) protection prevented the use of the credentials over the public web. Although connecting through the enterprise WiFi did not require MFA, being "thousands of miles away and an ocean apart from the victim" was a problem. So, the hackers became creative and started looking at organizations in buildings nearby that could serve as a pivot to the target wireless network.
The idea was to compromise another organization and look on its network for dual-home devices, which have both a wired and a wireless connection. Such a device (e.g., laptop, router) would allow the hackers to use its wireless adapter and connect to the target's enterprise WiFi. This technique, known as the "nearest neighbor attack," relies on exploiting the human element in cybersecurity by taking advantage of proximity-based vulnerabilities.
Volexity found that APT28 compromised multiple organizations as part of this attack, daisy-chaining their connection using valid access credentials. Ultimately, they found a device within the proper range that could connect to three wireless access points near the windows of a victim's conference room. Using a remote desktop connection (RDP) from an unprivileged account, the threat actor was able to move laterally on the target network searching for systems of interest and to exfiltrate data.
The hackers ran servtask.bat to dump Windows registry hives (SAM, Security, and System), compressing them into a ZIP archive for exfiltration. The attackers generally relied on native Windows tools to keep their footprint to a minimum while collecting the data.
Further investigation revealed that GruesomeLarch was actively targeting Organization A in order to collect data from individuals with expertise on and projects actively involving Ukraine. Volexity further determined that the indicators of compromise (IoCs) pointed to a Russian threat group, which later matched with details included in Microsoft's report.
In April this year, a Microsoft report made it clear as it included indicators of compromise (IoCs) that overlapped with Volexity's observations and pointed to the Russian threat group. Based on these findings, it is very likely that APT28 was able to escalate privileges before running critical payloads by exploiting a zero-day in the Windows Print Spooler service within the victim's network.
This attack highlights the complexity of modern cybersecurity threats and the importance of treating WiFi corporate networks with the same care as any other remote access service. Internet-facing devices have benefited from improved security over the past years, but this attack demonstrates that even when leveraging advanced techniques like the "nearest neighbor attack," hackers still face challenges in exploiting vulnerabilities remotely.
The use of multi-factor authentication (MFA) and being aware of one's surroundings can prevent such attacks. While MFA protection is an effective deterrent against unauthorized access on the public web, its limitations become apparent when attempting to access networks through a WiFi connection from a distant location. This underscores the need for organizations to reassess their security posture and consider solutions that address these types of remote vulnerabilities.
In conclusion, APT28's "nearest neighbor attack" is an example of how hackers continue to evolve their tactics in pursuit of exploiting vulnerabilities. As we navigate this complex cybersecurity landscape, it is essential to stay informed about the latest threat vectors and take proactive steps to protect ourselves against such attacks.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/
https://www.crowdstrike.com/en-us/blog/who-is-fancy-bear/
https://en.wikipedia.org/wiki/Fancy_Bear
https://attack.mitre.org/groups/G0007/
https://thesoclabs.com/understanding-apt28-a-full-recap-of-cyber-threat/
Published: Fri Nov 22 14:54:46 2024 by llama3.2 3B Q4_K_M
