A hacking group sponsored by the Russian government, GruesomeLarch (also known as APT28 or Fancy Bear), has showcased an advanced new attack method named the “Nearest Neighbor Attack.” This technique enables remote hackers to infiltrate organizations by leveraging Wi-Fi networks of nearby businesses.
Through this innovative method, hackers managed to breach the network of an organization from a considerable distance without using malware, exploiting Wi-Fi networks of neighboring businesses in the process.
Uncovered by cybersecurity company Volexity in February 2022, just prior to the Russian invasion of Ukraine, the attack demonstrated how hackers located thousands of miles away could illicitly access their target’s network without physically being present.
Nearest Neighbor Attack
The attack occurred in early February 2022, before the Russian invasion of Ukraine, targeting an unspecified organization known as “Organization A” with specific expertise and projects related to Ukraine. In their approach, the hackers employed a series of steps to gain entry into the target’s network:
- Password spraying: Initially, the attackers compromised user credentials through password spraying attacks on Organization A’s publicly accessible services.
- Wi-Fi exploitation: Unable to circumvent multi-factor authentication (MFA) on internet-based services, the hackers shifted their focus to the organization’s Enterprise Wi-Fi network, demanding only a username and password for access.
- Daisy-chaining: To establish a connection with Organization A’s Wi-Fi remotely, the attackers infiltrated systems in nearby structures, seeking out dual-homed computers with wired and wireless connections.
- Lateral movement: Once inside the network, the hackers utilized living-off-the-land methods, leveraging inherent Windows tools to avoid detection.
The investigation unveiled that GruesomeLarch had successfully breached multiple organizations in close proximity to their main target, enabling them to link to Organization A’s Enterprise Wi-Fi network from a compromised system in a nearby building.
Throughout the investigation, Volexity’s team faced numerous challenges, such as the attackers’ utilization of anti-forensic techniques. The hackers made use of the Windows Cipher.exe utility to cover their tracks, complicating the process of secure file recovery.
The breach was ultimately traced back to an organization (“Organization B”) situated across the street from the primary target. Further examination revealed a third compromised entity (“Organization C”), underscoring the attackers’ persistence in creating daisy-chain connections to achieve their end goal.
In a final bid to regain entry, the hackers exploited a vulnerability in Organization A’s Guest Wi-Fi network, which was insufficiently isolated from the corporate wired network. This exploit enabled them to pivot back into the main network, accessing valuable data in the process.
The responsibility for the attack was assigned to GruesomeLarch based on their use of a post-compromise tool named GooseEgg, aligning with the description provided in a Microsoft report from April 2024.
This incident underscores the evolving landscape of cyber threats and emphasizes the importance for organizations to reassess their Wi-Fi security protocols. Volexity suggests implementing multi-factor authentication for Wi-Fi access, establishing separate networking environments for Wi-Fi and Ethernet connections, and monitoring for abnormal use of inherent Windows utilities.
The Nearest Neighbor Attack signifies a fresh breed of cyber threats, blending the advantages of close physical proximity with the capability to operate effectively from a great distance. As organizations fortify their defenses against internet-based threats, attackers are devising innovative ways to exploit overlooked vulnerabilities within Wi-Fi networks and associated systems.
The post Nearest Neighbor Attack: Hackers Breach Organizations via Wi-Fi from Russia appeared first on Cyber Security News.