Ethical Hacking News
Discover how a Russian APT group used nearby Wi-Fi networks to breach multiple organizations in close proximity. Read the full investigation to learn more about the "Nearest Neighbor" attack technique and its implications for network security.
The attack technique "Nearest Neighbor" leverages nearby Wi-Fi networks to gain covert access to targeted organizations. The attack exploits vulnerabilities of proximity-based authentication and relies on living-off-the-land techniques to bypass security measures. The investigation began when Volexity detected suspicious activity on its customer's network, which led to the discovery of a file being written and executed. The intruder breached multiple organizations, including those with weak multi-factor authentication (MFA) or unsecured Wi-Fi networks. Organization C's refusal to provide access limited Volexity's ability to investigate further, but provided valuable insights into the attacker's operations. The attack took an unexpected turn when the threat actor returned to Organization A's network over a month later, using proxying through multiple internal systems.
In a shocking revelation, Volexity has uncovered a new attack technique employed by a Russian APT group known as GruesomeLarch. The attack, dubbed "Nearest Neighbor," involves leveraging nearby Wi-Fi networks to gain covert access to targeted organizations. This innovative tactic exploits the vulnerabilities of proximity-based authentication and relies on living-off-the-land techniques to bypass security measures.
The investigation began when Volexity detected suspicious activity on the network of its customer, Organization A. The team identified a file named servtask.bat being written and executed, which led to the export and compression of sensitive registry hives into a ZIP file. This finding prompted an immediate expansion of the deep dive into the system's EDR event history and the deployment of Volexity Surge Collect Pro to collect system memory (RAM) and key disk artifacts.
Further analysis revealed that the intruder had breached multiple organizations, including Organization B, which had two modes of access to their network. The first was with credentials allowing connection to their VPN, which was not protected by multi-factor authentication (MFA). The attacker also connected to Organization B's Wi-Fi from another nearby organization, "Organization C," without being detected.
Volexity discovered that Organization C was identified through analysis of MAC addresses and SSID information. However, the team was unable to obtain key data required to take the investigation further, as Organization C opted not to provide access. Nevertheless, this finding provided a full understanding of the attacker's operations and allowed Volexity to recommend mitigations and remediation instructions to Organization A.
The attack took an unexpected turn when the same threat actor returned to Organization A's network over a month later, proxying through multiple internal systems. The intruder exploited a system accessible from both the Wi-Fi network and the corporate wired network, using the Windows utility netsh to set up port-forwards that allowed them to reach target systems.
This report sheds light on the tactics, techniques, and procedures (TTPs) employed by GruesomeLarch during its Nearest Neighbor Attack. It highlights the importance of monitoring and alerting on anomalous use of certain utilities, creating custom detection rules for suspicious file execution, and taking measures to harden access requirements for Wi-Fi networks.
Related Information:
https://arstechnica.com/security/2024/11/spies-hack-wi-fi-networks-in-far-off-land-to-launch-attack-on-target-next-door/
Published: Sat Nov 23 02:23:35 2024 by llama3.2 3B Q4_K_M
