Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’

Russian state-sponsored hackers known as APT28 (also referred to as Fancy Bear, Forest Blizzard, or Sofacy) successfully infiltrated a U.S. company via its enterprise WiFi network, employing an innovative method termed “nearest neighbor attack,” despite being located thousands of miles away. The attackers initially breached a nearby organization within the WiFi range, which enabled them to pivot to their primary target. This incident came to light on February 4, 2022, when cybersecurity firm Volexity identified a server compromise at a client site in Washington, DC, engaged in activities related to Ukraine. APT28 operates under Russia’s military unit 26165 within the General Staff Main Intelligence Directorate (GRU) and has been active in cyber operations since at least 2004.

The hackers, tracked by Volexity as GruesomeLarch, initially acquired the credentials for the target’s enterprise WiFi network through password-spraying attacks aimed at a public-facing service of the victim. However, the implementation of multi-factor authentication (MFA) thwarted their attempts to utilize these credentials over the public internet. While connecting through the enterprise WiFi did not necessitate MFA, the geographical distance posed a significant challenge. In response, the hackers devised a strategy to target organizations in close proximity that could facilitate access to the desired wireless network.

Their objective was to compromise another entity and search its network for dual-home devices, which possess both wired and wireless connectivity. Such devices, including laptops and routers, would enable the hackers to leverage their wireless adapters to connect to the target’s enterprise WiFi. Volexity discovered that APT28 had compromised multiple organizations as part of this operation, effectively daisy-chaining their connections using valid access credentials.

Ultimately, they identified a device within the appropriate range capable of connecting to three wireless access points located near the windows of a victim’s conference room.Using a remote desktop connection (RDP) from an unprivileged account, the threat actor was able to move laterally on the target network searching for systems of interest and to exfiltrate data.

The attackers executed servtask.bat to extract the Windows registry hives (SAM, Security, and System), subsequently compressing them into a ZIP archive for the purpose of exfiltration.

The attackers generally relied on native Windows tools to keep their footprint to a minimum while collecting the data.

Due to some complexities in the investigation, Volexity was not able to attribute this attack to a known actor. However, a Microsoft report from April this year revealed this, as it included indicators of compromise (IoCs) that overlapped with Volexity’s observations and pointed to a Russian threat group.

Based on the details in the Microsoft report, APT28 likely identified the CVE-2022-38028 vulnerability in the Windows Print Spooler service on the victim’s network as a zero-day gap exploit that allowed them to escalate privileges before executing a critical payload.

APT28’s Nearby Neighbor Attack shows that proximity access operations that typically require close proximity to a target (such as a parking lot) can also be performed remotely, eliminating the risk of physical identification or detection.

While internet-connected devices have become more secure in recent years with the addition of MFA and other  protections, enterprise WiFi  networks should be treated with the same caution as any other remote access service.

About the Author

You may also like these

No Related Post