Security firm Volexity has identified threat actor groups linked to the Russian military.APT28by”Nearest Neighbor Attack” has been detected. As the name “Nearest Neighbor” suggests, this Nearest Neighbor attack involves remotely taking over laptops and other devices located in buildings near the target company, and then attempting unauthorized access via the target’s Wi-Fi network. .
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access | Volexity
https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’
https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/
APT28 is a threat actor group believed to be associated with the Russian General Staff Intelligence Directorate (GRU), and is known by codenames such as “Fancy Bear,” “Strontium,” and “Pawn Storm.” APT28 is said to have been involved in hacking of the World Anti-Doping Agency (WADA) and the Democratic National Committee during the 2016 US presidential election.
FBI/NSA warn that Russian government hacker group ‘Fancy Bear’ threatens national security with undiscovered Linux malware tool ‘Drovorub’ – GIGAZINE
According to Volexity, the attack by APT28 was detected in February 2022 when a server breach was detected on the site of a “customer of a government-related organization” that was doing work related to Ukraine.
The threat actors tracked by Volexity under the codename ‘GruesomeLarch’ first targeted the victim’s public services.password spray attackThe attacker obtained credentials for the targeted company’s Wi-Fi network. However, multi-factor authentication protection prevented the credentials from being used on public networks. While connecting via a company’s Wi-Fi network itself did not require multi-factor authentication, the problem is that the victim is connecting from overseas, thousands of kilometers away from the targeted company.
The threat actor then began looking for organizations in nearby buildings that could be home to the target’s wireless network. If there are devices such as laptops that are both wired and wireless on a nearby organization’s network, a threat actor can use a wireless adapter to connect to the target Wi-Fi network.
Investigation revealed that there were devices within reasonable range that could connect to three wireless access points located near windows in the targeted organization’s conference room. Threat actors compromise Wi-Fi connectivity by successively compromising multiple neighboring organizations.daisy chainWe used a method to connect the target tissue and finally access the target tissue. This technique allowed attackers to gain the benefits of attacks that require physical proximity, while actually being able to safely carry out their attacks from a remote location.
After the intrusion, the attackers may use Cipher.exe to erase their traces or use VSSAdmin to steal the Active Directory database.Living off the land” and used existing Windows tools to carry out the activity.
According to Volexity, it was difficult at the time to determine who the threat actor was because the attacker could not be identified from the tools or IP address used. However, in March 2024, MicrosoftResearch report on APT28was released, and information about an attack tool called “GooseEgg” used by the threat actor group was revealed.
GooseEgg is a privilege escalation vulnerability in Windows Print SpoolerCVE-2022-38028It was an abuse of. Since the file names, folder paths, and commands in the bat file reported by Microsoft were the same as those observed by Volexity, Volexity concluded that the series of attacks was caused by APT28.
Nearest neighbor attacks are unique in that they eliminate the risk of attackers being physically identified or detained, allowing attackers to attack from thousands of kilometers away while still enjoying the benefits of physical proximity. You can carry out operations safely. Volexity cautions that sophisticated threat actors will go to extreme lengths to accomplish their cyberattack goals.
It also points out the need to think more carefully about the operational security risks posed by Wi-Fi networks. In recent years, measures have been taken to narrow the attack surface area for Internet services by introducing multi-factor authentication and reducing the number of services. However, Volexity warns that Wi-Fi networks often don’t receive the same level of attention. The time has come to treat access to corporate Wi-Fi networks with the same care and consideration as other remote access services such as VPNs.
Copy the title and URL of this article