A classy cyber-espionage assault utilized by infamous Russian superior persistent menace (APT) Fancy Bear on the outset of the present Russia-Ukraine battle demonstrates a novel assault vector {that a} menace actor can use to remotely infiltrate the community of a corporation far-off by compromising a Wi-Fi community in shut proximity to it.
Fancy Bear (aka APT28 or Forest Blizzard) breached the community of a US group utilizing this methodology, which the researchers at Volexity are calling a “Nearest Neighbor” assault.
“The menace actor completed this by daisy-chaining their strategy, to compromise a number of organizations in shut proximity to their supposed goal, Group A,” Volexity researchers Sean Koessel, Steven Adair, and Tom Lancaster wrote in a publish detailing the assault. “This was performed by a menace actor who was 1000’s of miles away and an ocean other than the sufferer.”
The hack demonstrated “a brand new class of assault” for an attacker so far-off from the supposed goal to make use of the Wi-Fi methodology, the researchers stated. Volexity tracks Fancy Bear — part of Russia’s Basic Workers Important Intelligence Directorate (GRU) that is been an energetic adversary for a minimum of 20 years — as “GruesomeLarch,” one of many APT’s many names.
Volexity first found the assault simply forward of Russia’s invasion of Ukraine in February 2022, when a detection signature Volexity had deployed at a buyer website indicated a compromised server. Finally, the researchers would decide that Fancy Bear was utilizing the assault “to gather knowledge from people with experience on and tasks actively involving Ukraine” from the Washington, DC-based group.
A Cyberattack Chained By A number of Orgs
The assault concerned Fancy Bear performing credential-stuffing assaults to compromise a minimum of two Wi-Fi networks in shut bodily proximity to the goal. The attacker then used credentials to compromise the group, since credential-stuffing assaults alone could not compromise the focused group’s community as a result of using multifactor authentication (MFA), based on Volexity.
“Nonetheless, the Wi-Fi community was not protected by MFA, that means proximity to the goal community and legitimate credentials have been the one necessities to attach,” the researchers wrote.
Finally, the investigation revealed “the lengths a inventive, resourceful, and motivated menace actor is prepared to go to in an effort to obtain their cyber-espionage aims,” they wrote.
Through the course of a prolonged investigation, Volexity labored with not solely with the focused group but additionally related with two different organizations (aka Organizations B and C) that have been breached to ultimately attain the goal.
Finally, Volexity found an assault construction to breach Group A that used privileged credentials to hook up with it through the Distant Desktop Protocol (RDP) from one other system inside Group B’s community.
“This technique was dual-homed and related to the Web through wired Ethernet, however it additionally had a Wi-Fi community adapter that may very well be used on the similar time,” the researchers defined of their publish. “The attacker discovered this technique and used a customized PowerShell script to look at the out there networks inside vary of its wi-fi, after which related to Group A’s enterprise Wi-Fi utilizing credentials they’d compromised.”
Furthermore, the APT additionally used two modes to entry to Group B’s community to achieve intrusion to the final word goal, the researchers found. The primary was utilizing credentials obtained through password-spraying that allowed them to hook up with the group’s VPN, which was not protected with MFA. Volexity additionally discovered proof the attacker had been connecting to Group B’s Wi-Fi from one other community that belonged to close by Group C, demonstrating the daisy-chain strategy to the assault, the researchers wrote.
All through the assault, Fancy Bear adopted a living-off-the-land strategy, leveraging commonplace Microsoft protocols and transferring laterally all through the group. One instrument particularly that they made specific use of was an inbuilt Home windows instrument, Cipher.exe, that ships with each trendy model of Home windows, the researchers discovered.
Beware Thy (Wi-Fi) Neighbors
As a result of the assault highlights a brand new threat for organizations of compromise by means of Wi-Fi even when an attacker is way away, defenders “want to position further concerns on the dangers that Wi-Fi networks might pose to their operational safety,” treating them “with the identical care and a spotlight that different distant entry companies, comparable to digital non-public networks (VPNs),” the researchers noticed.
Suggestions for organizations to keep away from such an assault embrace creating separate networking environments for Wi-Fi and Ethernet-wired networks, significantly the place Ethernet-based networks enable for entry to delicate assets. In addition they ought to take into account hardening entry necessities for Wi-Fi networks, comparable to making use of MFA necessities for authentication or certificate-based options.
To detect the same assault as soon as the menace actor achieves presence on the community, organizations ought to take into account monitoring and putting an alert on anomalous use of the widespread netsh and Cipher.exe utilities. Defenders can also create customized detection guidelines to search for information executing from varied nonstandard places, comparable to the foundation of C:ProgramData, and enhance detection of knowledge exfiltration from Web-facing companies operating in an setting.
