Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network

A sophisticated cyber-espionage attack used by notorious Russian advanced persistent threat (APT) Fancy Bear at the outset of the current Russia-Ukraine war demonstrates a novel attack vector that a threat actor can use to remotely infiltrate the network of an organization far away by compromising a Wi-Fi network in close proximity to it.

Fancy Bear (aka APT28 or Forest Blizzard) breached the network of a US organization using this method, which the researchers at Volexity are calling a "Nearest Neighbor" attack.

"The threat actor accomplished this by daisy-chaining their approach, to compromise multiple organizations in close proximity to their intended target, Organization A," Volexity researchers Sean Koessel, Steven Adair, and Tom Lancaster wrote in a post detailing the attack. "This was done by a threat actor who was thousands of miles away and an ocean apart from the victim."

The hack demonstrated "a new class of attack" for an attacker so far away from the intended target to use the Wi-Fi method, the researchers said. Volexity tracks Fancy Bear — a part of Russia's General Staff Main Intelligence Directorate (GRU) that's been an active adversary for at least 20 years — as "GruesomeLarch," one of the APT's many names.

Volexity first discovered the attack just ahead of Russia's invasion of Ukraine in February 2022, when a detection signature Volexity had deployed at a customer site indicated a compromised server. Eventually, the researchers would determine that Fancy Bear was using the attack "to collect data from individuals with expertise on and projects actively involving Ukraine" from the Washington, DC-based organization.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

A Cyberattack Chained Through Multiple Orgs

The attack involved Fancy Bear performing credential-stuffing attacks to compromise at least two Wi-Fi networks in close physical proximity to the target. The attacker then used credentials to compromise the organization, since credential-stuffing attacks alone couldn't compromise the targeted organization's network due to the use of multifactor authentication (MFA), according to Volexity.

"However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect," the researchers wrote.

Ultimately, the investigation revealed "the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber-espionage objectives," they wrote.

During the course of a lengthy investigation, Volexity worked with not only with the targeted organization but also connected with two other organizations (aka Organizations B and C) that were breached to eventually reach the target.

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Ultimately, Volexity discovered an attack structure to breach Organization A that used privileged credentials to connect to it via the Remote Desktop Protocol (RDP) from another system within Organization B's network.

"This system was dual-homed and connected to the Internet via wired Ethernet, but it also had a Wi-Fi network adapter that could be used at the same time," the researchers explained in their post. "The attacker found this system and used a custom PowerShell script to examine the available networks within range of its wireless, and then connected to Organization A's enterprise Wi-Fi using credentials they had compromised."

Moreover, the APT also used two modes to access to Organization B's network to gain intrusion to the ultimate target, the researchers discovered. The first was using credentials obtained via password-spraying that allowed them to connect to the organization's VPN, which was not protected with MFA. Volexity also found evidence the attacker had been connecting to Organization B's Wi-Fi from another network that belonged to nearby Organization C, demonstrating the daisy-chain approach to the attack, the researchers wrote.

Related:Cybersecurity Is Critical, but Breaches Don't Have to Be Disasters

Throughout the attack, Fancy Bear adopted a living-off-the-land approach, leveraging standard Microsoft protocols and moving laterally throughout the organization. One tool in particular that they made particular use of was an inbuilt Windows tool, Cipher.exe, that ships with every modern version of Windows, the researchers found.

Beware Thy (Wi-Fi) Neighbors

Because the attack highlights a new risk for organizations of compromise through Wi-Fi even if an attacker is far away, defenders "need to place additional considerations on the risks that Wi-Fi networks may pose to their operational security," treating them "with the same care and attention that other remote access services, such as virtual private networks (VPNs)," the researchers observed.

Recommendations for organizations to avoid such an attack include creating separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources. They also should consider hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.

To detect a similar attack once the threat actor achieves presence on the network, organizations should consider monitoring and placing an alert on anomalous use of the common netsh and Cipher.exe utilities. Defenders also can create custom detection rules to look for files executing from various nonstandard locations, such as the root of C:\ProgramData\, and improve detection of data exfiltration from Internet-facing services running in an environment.