Volexity’s disclosure of the Nearest Neighbor Attack introduced a new tactic used by a prolific advanced persistent threat group, Russia-linked APT 28, that put a new spotlight on the security of Wi-Fi, and the risk to users and devices connected to those networks.
On this episode of the Nexus Podcast, Volexity founder Steven Adair explains how these advanced attackers were able to connect to a high-value target’s Wi-Fi—and network—by first remotely compromising the networks of neighbors in physical proximity. APT 28 created a daisy-chain of owned Wi-Fi connections until it was able to reach its target. It’s believe the attack was an attempt to gain additional intelligence on Ukraine prior to Russia’s invasion of that country in February 2022.
Previously known hacks on Wi-Fi networks required physical proximity to these connections. What APT 28—Volexity calls this group GruesomeLarch, while other research groups have labeled them Fancy Bear, Sofacy, and other nicknames—managed to do was not previously seen, Adair said. Volexity wrote in its blog that the group used password-spray attacks against some of the target’s public-facing services; multifactor authentication requirements, however, foiled this approach despite having valid credentials. This forced the daisy-chain approach of infiltrating other organizations in proximity to the target, moving laterally inside those networks until finding dual-homed systems with wired and wireless connections.
Ultimately they found one that could connect to the target’s Wi-Fi SSID. The target’s Wi-Fi network, Volexity said, did not require MFA, only a valid domain username/password combination to authenticate.
“They had to move until they found, in this case, a laptop that was in a docking station that had wired internet and then used its Wi-Fi connection to figure out what was nearby what was available and then leverage those credentials,” Adair explained.
“This instance is the first, and and since then, the sole time that we've really seen this,” Adair said. “I don't and say nothing surprises me anymore, but I am surprised. You look back and I'd say to get on Vilexity's list of most brazen or interesting or impressive attacks, it has to be pretty interesting at this point.”
The attack involved the use of several living-off-the-land techniques, a zero-day privilege escalation vulnerability in the Microsoft Windows Print Spooler, anti-forensics techniques, and exploitation of several weak controls on Wi-Fi networks in proximity of the victim. APT 28 never deployed malware, and used only valid credentials and other available, legitimate services on compromised networks to reach and access their target.
“If I have a remote desktop service, a Citrix server, a VPN service, email, I protect all of that stuff because I'm worried about someone getting my data, my networks, my colleagues, my systems,” Adair said. “Wi-Fi … should be in that conversation about being protected in the same way because it is an entry point into your network and obviously there's places that are using like a shared password that they haven't changed in 10 years and people know why that's a bad idea in general. But this kind of underscores what an advanced or a motivated actor can and potentially will do.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
