### #RemoteAccessExploitation #WiFiHacking #CreativeCyberAttacks
Summary: APT28, a Russian state-sponsored hacking group, successfully breached a U.S. company’s enterprise WiFi network from thousands of miles away using a novel “nearest neighbor attack” technique. This incident highlights the vulnerabilities in corporate WiFi networks and the need for enhanced security measures.
Threat Actor: APT28 | APT28
Victim: U.S. company | U.S. company
Key Point :
- APT28 compromised a nearby organization to gain access to the target’s enterprise WiFi network.
- The attack involved password-spraying and exploiting dual-home devices to connect remotely.
- Volexity discovered the breach on February 4, 2022, while monitoring for Ukrainian-related cyber activities.
- The hackers utilized native Windows tools to minimize their footprint during data collection.
- Microsoft’s report linked the attack to APT28, indicating the exploitation of a zero-day vulnerability in the Windows Print Spooler service.
- This incident underscores the need for robust security measures for corporate WiFi networks, similar to those for internet-facing services.
Russian state hackers APT28 (Fancy Bear/Forest Blizzard/Sofacy) breached a U.S. company through its enterprise WiFi network while being thousands of miles away, by leveraging a novel technique called “nearest neighbor attack.”
The threat actor pivoted to the target after first compromising an organization in a nearby building within the WiFi range.
The attack was discovered on February 4, 2022, when cybersecurity company Volexity detected a server compromise at a customer site in Washington, DC that was doing Ukrainian-related work.
APT28 is part of Russia’s military unit 26165 in the General Staff Main Intelligence Directorate (GRU) and has been conducting cyber operations since at least 2004.
The hackers, which Volexity tracks as GruesomeLarch, first obtained the credentials to the target’s enterprise WiFi network through password-spraying attacks targeting a victim’s public-facing service.
However, the presence of multi-factor authentication (MFA) protection prevented the use of the credentials over the public web. Although connecting through the enterprise WiFi did not require MFA, being “thousands of miles away and an ocean apart from the victim” was a problem.
So the hackers became creative and started looking at organizations in buildings nearby that could serve as a pivot to the target wireless network.
The idea was to compromise another organization and look on its network for dual-home devices, which have both a wired and a wireless connection. Such a device (e.g. laptop, router) would allow the hackers to use its wireless adapter and connect to the target’s enterprise WiFi.
Volexity found that APT28 compromised multiple organization as part of this attack, daisy-chaining their connection using valid access credentials. Ultimately, they found a device within the proper range that could connect to three wireless access points near the windows of a victim’s conference room.
Using a remote desktop connection (RDP) from an unprivileged account, the threat actor was able to move laterally on the target network searching for systems of interest and to exfiltrate data.
The hackers ran servtask.bat to dump Windows registry hives (SAM, Security, and System), compressing them into a ZIP archive for exfiltration.
The attackers generally relied on native Windows tools to keep their footprint to a minimum while collecting the data.
“Volexity further determined that GruesomeLarch was actively targeting Organization A in order to collect data from individuals with expertise on and projects actively involving Ukraine” – Volexity
Multiple complexities in the investigation prevented Volexity from attributing this attack to any known threat actors. But a Microsoft report in April this year made it clear as it included indicators of compromise (IoCs) that overlapped with Volexity’s observations and pointed to the Russian threat group.
Based on details in Microsoft’s report, it’s very likely that APT28 was able to escalate privileges before runing critical payloads by exploiting as a zero day the CVE-2022-38028 vulnerability in the Windows Print Spooler service within the victim’s network.
APT28’s “nearby neighbor attack” shows that a close-access operation, which typically requires proximity to the target (e.g. parking lot), can also be conducted from afar and eliminates the risk of being physically identified or caught.
While internet-facing devices have benefited from improved security over the past years, by adding MFA and other types of protections, WiFi corporate networks need to be treated with the same care as any other remote access service.