Russian state hackers APT28 (Fancy Bear/Forest Blizzard/Sofacy) breached a U.S. company through its enterprise WiFi network while being thousands of miles away, by leveraging a novel technique called “nearest neighbor attack.”
The threat actor pivoted to the target after first compromising an organization in a nearby building within the WiFi range.
The attack was discovered on February 4, 2022, when cybersecurity company Volexity detected a server compromise at a customer site in Washington, DC that was doing Ukrainian-related work.
APT28 is part of Russia’s military unit 26165 in the General Staff Main Intelligence Directorate (GRU) and has been conducting cyber operations since at least 2004.
The hackers, which Volexity tracks as GruesomeLarch, first obtained the credentials to the target’s enterprise WiFi network through password-spraying attacks targeting a victim’s public-facing service.
However, the presence of multi-factor authentication (MFA) protection prevented the use of the credentials over the public web. Although connecting through the enterprise WiFi did not require MFA, being “thousands of miles away and an ocean apart from the victim” was a problem.
So the hackers became creative and started looking at organizations in buildings nearby that could serve as a pivot to the target wireless network.
The idea was to compromise another organization and look on its network for dual-home devices, which have both a wired and a wireless connection. Such a device (e.g. laptop, router) would allow the hackers to use its wireless adapter and connect to the target’s enterprise WiFi.
Volexity found that APT28 compromised multiple organization as part of this attack, daisy-chaining their connection using valid access credentials. Ultimately, they found a device within the proper range that could connect to three wireless access points near the windows of a victim’s conference room.
Using a remote desktop connection (RDP) from an unprivileged account, the threat actor was able to move laterally on the target network searching for systems of interest and to exfiltrate data.
The hackers ran servtask.bat to dump Windows registry hives (SAM, Security, and System), compressing them into a ZIP archive for exfiltration.
The attackers generally relied on native Windows tools to keep their footprint to a minimum while collecting the data.
“Volexity further determined that GruesomeLarch was actively targeting Organization A in order to collect data from individuals with expertise on and projects actively involving Ukraine” – Volexity
Multiple complexities in the investigation prevented Volexity from attributing this attack to any known threat actors. But a Microsoft report in April this year made it clear as it included indicators of compromise (IoCs) that overlapped with Volexity’s observations and pointed to the Russian threat group.
Based on details in Microsoft’s report, it’s very likely that APT28 was able to escalate privileges before runing critical payloads by exploiting as a zero day the CVE-2022-38028 vulnerability in the Windows Print Spooler service within the victim’s network.
APT28’s “nearby neighbor attack” shows that a close-access operation, which typically requires proximity to the target (e.g. parking lot), can also be conducted from afar and eliminates the risk of being physically identified or caught.
While internet-facing devices have benefited from improved security over the past years, by adding MFA and other types of protections, WiFi corporate networks need to be treated with the same care as any other remote access service.
Source: www.bleepingcomputer.com