Nov 25, 2024 15:01:00

What is the 'nearest neighbor attack' by Russia's APT28 that remotely hijacks a laptop in the building opposite?

Security company Volexity has reported that it has detected a ' nearest neighbor' attack by

APT28, a threat actor group associated with the Russian military. As the name suggests, this nearest neighbor attack involves remotely taking over laptops and other devices in buildings near a target company and then attempting unauthorized access via the target's Wi-Fi network.

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access | Volexity
https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/

Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack'
https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/

APT28 is a threat actor group believed to be associated with the Main Intelligence Directorate of the Russian General Staff (GRU), and has been known by code names such as 'Fancy Bear,' 'Strontium,' and 'Pawn Storm.' APT28 has previously been linked to hacking of the World Anti-Doping Agency (WADA) and the Democratic National Committee during the 2016 US presidential election.

FBI and NSA warn that Russian government hacker group 'Fancy Bear' is threatening national security with undiscovered Linux malware tool 'Drovorub' - GIGAZINE

According to Volexity, the attack by APT28 was discovered in February 2022 when it detected a server breach at the site of a 'government-related client' that was conducting work related to Ukraine.

The threat actors, tracked by Volexity under the codename 'GruesomeLarch,' first gained credentials to the targeted company's Wi-Fi network through a password-spraying attack aimed at the victim's public-facing services. However, multi-factor authentication protection prevented them from using the credentials on the public network. While connecting over the company's Wi-Fi network did not require multi-factor authentication, the problem arose when connecting from overseas, thousands of kilometers away from the targeted company.

So the threat actor began looking for organizations in nearby buildings that could serve as bases for the victim’s wireless network. If the nearby organization had a device, such as a laptop, that had both wired and wireless connectivity on its network, the threat actor could use a wireless adapter to connect to the victim’s Wi-Fi network.

The investigation revealed that the targeted organization had devices within range of three wireless access points located near a window in a conference room, allowing the threat actor to compromise multiple nearby organizations in turn,

daisy- chaining the Wi-Fi connections to ultimately gain access to the targeted organization. This technique allowed the attackers to gain the advantage of attacks that require physical proximity, while still being able to execute the attack safely from a remote location.

Once inside, the attackers used existing Windows tools to carry out their activities, a technique known as ' living off the land ,' including using Cipher.exe to erase their tracks and VSSAdmin to steal the Active Directory database.

According to Volexity, it was difficult to identify the threat actor at the time because the attacker could not be identified from the tools used or IP addresses. However, in March 2024, Microsoft published a research report on APT28 , which revealed information about an attack tool called 'GooseEgg' used by the threat actor group.

GooseEgg exploited CVE-2022-38028, a privilege escalation vulnerability in the Windows print spooler. And because the file names, folder paths, and commands in the bat files reported by Microsoft were identical to those observed by Volexity, Volexity concluded that the series of attacks was the work of APT28.

Nearest neighbor attacks are unique in that they eliminate the risk of attackers being physically identified or detained, allowing attackers to safely operate from thousands of kilometers away while still enjoying the benefits of physical proximity. Volexity warns that sophisticated threat actors will go to extreme measures to achieve their cyber attack objectives.

They also point out that organizations need to think more carefully about the operational security risks posed by Wi-Fi networks. In recent years, measures have been taken to reduce the attack surface area for Internet services by introducing multi-factor authentication and reducing services. However, the same level of attention is often not paid to Wi-Fi networks, Volexity warns. It is time to treat access to corporate Wi-Fi networks with the same care and consideration as other remote access services such as VPNs.