Hackers Breach US Firm Over Wi-Fi From Russia in ‘Nearest Neighbor Attack'
Summary:
Russian state-sponsored hackers APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy) executed a sophisticated breach of a U.S. company’s enterprise WiFi network, leveraging an innovative technique termed the "nearest neighbor attack." Despite being thousands of miles away, the group used nearby organizations as stepping stones to infiltrate their target. The breach was discovered on February 4, 2022, by cybersecurity firm Volexity, which detected a server compromise at a client site in Washington, D.C., that was involved in Ukraine-related work. APT28, part of Russia's GRU military unit 26165, began by obtaining the target’s WiFi credentials through password-spraying attacks on its public-facing service. However, multi-factor authentication protections prevented direct use of the stolen credentials over the internet. Recognizing that connecting to the enterprise WiFi did not require MFA, the attackers sought to overcome the challenge of physical distance by identifying nearby organizations within the WiFi range of the target.
The hackers compromised nearby organizations and searched for dual-home devices, such as laptops or routers with both wired and wireless connections. These devices allowed APT28 to bridge connections and gain access to the target’s WiFi network. After daisy-chaining through multiple compromised entities, the attackers located a device that could connect to three wireless access points near the windows of the target’s conference room. Once connected, APT28 used a remote desktop protocol session with an unprivileged account to move laterally within the network. They focused on systems of interest, exfiltrating data using minimal footprints to avoid detection. The attackers executed a script, to dump Windows registry hives, compressing them into ZIP files for exfiltration. They relied heavily on native Windows tools, a hallmark of advanced threat actors aiming to reduce their operational footprint.
Security Officer Comments:
Volexity attributed the attack to APT28, tracked under the alias "GruesomeLarch," and noted that the group was specifically targeting individuals with expertise in Ukrainian-related projects. Later, Microsoft corroborated Volexity’s findings, citing overlaps in indicators of compromise (IoCs) and linking the campaign to APT28. Microsoft’s report also suggested that the hackers likely exploited a zero-day vulnerability in Windows Print Spooler (CVE-2022-38028) to escalate privileges and execute critical payloads.
Microsoft’s report on CVE-2022-38028:
https://www.microsoft.com/en-us/sec...loiting-cve-2022-38028-to-obtain-credentials/
Suggested Corrections:
To generally prevent or detect attacks similar to those discussed in this blog, Volexity recommends the following:
Link(s):
https://www.bleepingcomputer.com/ne...wi-fi-from-russia-in-nearest-neighbor-attack/
https://www.volexity.com/blog/2024/...ized-nearby-wi-fi-networks-for-covert-access/
Russian state-sponsored hackers APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy) executed a sophisticated breach of a U.S. company’s enterprise WiFi network, leveraging an innovative technique termed the "nearest neighbor attack." Despite being thousands of miles away, the group used nearby organizations as stepping stones to infiltrate their target. The breach was discovered on February 4, 2022, by cybersecurity firm Volexity, which detected a server compromise at a client site in Washington, D.C., that was involved in Ukraine-related work. APT28, part of Russia's GRU military unit 26165, began by obtaining the target’s WiFi credentials through password-spraying attacks on its public-facing service. However, multi-factor authentication protections prevented direct use of the stolen credentials over the internet. Recognizing that connecting to the enterprise WiFi did not require MFA, the attackers sought to overcome the challenge of physical distance by identifying nearby organizations within the WiFi range of the target.
The hackers compromised nearby organizations and searched for dual-home devices, such as laptops or routers with both wired and wireless connections. These devices allowed APT28 to bridge connections and gain access to the target’s WiFi network. After daisy-chaining through multiple compromised entities, the attackers located a device that could connect to three wireless access points near the windows of the target’s conference room. Once connected, APT28 used a remote desktop protocol session with an unprivileged account to move laterally within the network. They focused on systems of interest, exfiltrating data using minimal footprints to avoid detection. The attackers executed a script, to dump Windows registry hives, compressing them into ZIP files for exfiltration. They relied heavily on native Windows tools, a hallmark of advanced threat actors aiming to reduce their operational footprint.
Security Officer Comments:
Volexity attributed the attack to APT28, tracked under the alias "GruesomeLarch," and noted that the group was specifically targeting individuals with expertise in Ukrainian-related projects. Later, Microsoft corroborated Volexity’s findings, citing overlaps in indicators of compromise (IoCs) and linking the campaign to APT28. Microsoft’s report also suggested that the hackers likely exploited a zero-day vulnerability in Windows Print Spooler (CVE-2022-38028) to escalate privileges and execute critical payloads.
Microsoft’s report on CVE-2022-38028:
https://www.microsoft.com/en-us/sec...loiting-cve-2022-38028-to-obtain-credentials/
Suggested Corrections:
To generally prevent or detect attacks similar to those discussed in this blog, Volexity recommends the following:
- Monitor and alert on anomalous use of the netsh and Cipher.exe utilities within your environment.
- Create custom detection rules to look for files executing from various non-standard locations, such as the root of C:\ProgramData\.
- Detect and identify exfiltration of data from Internet-facing services run in your environment.
- Create separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources.
- Consider hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.
- Monitor network traffic between devices to identify files being transferred via SMB that contain commonly exfiltrated data (credential data, ntds.dit, registry hives, etc.).
Link(s):
https://www.bleepingcomputer.com/ne...wi-fi-from-russia-in-nearest-neighbor-attack/
https://www.volexity.com/blog/2024/...ized-nearby-wi-fi-networks-for-covert-access/