A classy cyber-espionage assault utilized by infamous Russian superior persistent risk (APT) Fancy Bear on the outset of the present Russia-Ukraine battle demonstrates a novel assault vector {that a} risk actor can use to remotely infiltrate the community of a company far-off by compromising a Wi-Fi community in shut proximity to it.
Fancy Bear (aka APT28 or Forest Blizzard) breached the community of a US group utilizing this methodology, which the researchers at Volexity are calling a “Nearest Neighbor” assault.
“The risk actor achieved this by daisy-chaining their method, to compromise a number of organizations in shut proximity to their meant goal, Group A,” Volexity researchers Sean Koessel, Steven Adair, and Tom Lancaster wrote in a put up detailing the assault. “This was accomplished by a risk actor who was 1000’s of miles away and an ocean aside from the sufferer.”
The hack demonstrated “a brand new class of assault” for an attacker so far-off from the meant goal to make use of the Wi-Fi methodology, the researchers stated. Volexity tracks Fancy Bear — part of Russia’s Normal Employees Predominant Intelligence Directorate (GRU) that is been an energetic adversary for at the least 20 years — as “GruesomeLarch,” one of many APT’s many names.
Volexity first found the assault simply forward of Russia’s invasion of Ukraine in February 2022, when a detection signature Volexity had deployed at a buyer website indicated a compromised server. Ultimately, the researchers would decide that Fancy Bear was utilizing the assault “to gather information from people with experience on and initiatives actively involving Ukraine” from the Washington, DC-based group.
A Cyberattack Chained By way of A number of Orgs
The assault concerned Fancy Bear performing credential-stuffing assaults to compromise at the least two Wi-Fi networks in shut bodily proximity to the goal. The attacker then used credentials to compromise the group, since credential-stuffing assaults alone could not compromise the focused group’s community as a consequence of using multifactor authentication (MFA), in line with Volexity.
“Nevertheless, the Wi-Fi community was not protected by MFA, which means proximity to the goal community and legitimate credentials have been the one necessities to attach,” the researchers wrote.
Finally, the investigation revealed “the lengths a inventive, resourceful, and motivated risk actor is prepared to go to with a purpose to obtain their cyber-espionage aims,” they wrote.
In the course of the course of a prolonged investigation, Volexity labored with not solely with the focused group but additionally linked with two different organizations (aka Organizations B and C) that have been breached to ultimately attain the goal.
Finally, Volexity found an assault construction to breach Group A that used privileged credentials to connect with it by way of the Distant Desktop Protocol (RDP) from one other system inside Group B’s community.
“This technique was dual-homed and linked to the Web by way of wired Ethernet, however it additionally had a Wi-Fi community adapter that could possibly be used on the similar time,” the researchers defined of their put up. “The attacker discovered this method and used a customized PowerShell script to look at the obtainable networks inside vary of its wi-fi, after which linked to Group A’s enterprise Wi-Fi utilizing credentials that they had compromised.”
Furthermore, the APT additionally used two modes to entry to Group B’s community to achieve intrusion to the last word goal, the researchers found. The primary was utilizing credentials obtained by way of password-spraying that allowed them to connect with the group’s VPN, which was not protected with MFA. Volexity additionally discovered proof the attacker had been connecting to Group B’s Wi-Fi from one other community that belonged to close by Group C, demonstrating the daisy-chain method to the assault, the researchers wrote.
All through the assault, Fancy Bear adopted a living-off-the-land method, leveraging customary Microsoft protocols and shifting laterally all through the group. One software specifically that they made explicit use of was an inbuilt Home windows software, Cipher.exe, that ships with each fashionable model of Home windows, the researchers discovered.
Beware Thy (Wi-Fi) Neighbors
As a result of the assault highlights a brand new threat for organizations of compromise by Wi-Fi even when an attacker is way away, defenders “want to position extra concerns on the dangers that Wi-Fi networks could pose to their operational safety,” treating them “with the identical care and a focus that different distant entry companies, reminiscent of digital non-public networks (VPNs),” the researchers noticed.
Suggestions for organizations to keep away from such an assault embody creating separate networking environments for Wi-Fi and Ethernet-wired networks, significantly the place Ethernet-based networks permit for entry to delicate sources. Additionally they ought to take into account hardening entry necessities for Wi-Fi networks, reminiscent of making use of MFA necessities for authentication or certificate-based options.
To detect an analogous assault as soon as the risk actor achieves presence on the community, organizations ought to take into account monitoring and inserting an alert on anomalous use of the widespread netsh and Cipher.exe utilities. Defenders can also create customized detection guidelines to search for recordsdata executing from numerous nonstandard areas, reminiscent of the basis of C:ProgramData, and enhance detection of information exfiltration from Web-facing companies operating in an surroundings.