How do attackers breach a secure organization without stepping foot inside? In the Nearest Neighbor Attack, the Russian APT group Fancy Bear(also known as APT28) [2] executed a sophisticated cyber-espionage campaign, exploiting weak Wi-Fi security and nearby organizations to infiltrate their ultimate target.
This wasn’t just a typical hacking attempt—it was a carefully planned operation. The attackers:
- Stole credentials using password-spraying.
- Exploited Wi-Fi networks that lacked multi-factor authentication (MFA).
- Leveraged systems in neighboring organizations to bypass physical distance.
- Extracted sensitive data while leaving minimal traces.
Here’s a high-level overview of the attack path:
Now, let’s break down the attack path [1].
1. Initial Recon and Credential Harvesting
- Objective: Gain access credentials to Organization A’s network.
- Method:
- Conducted password-spraying attacks on public-facing services of Organization A.
- Successfully brute-forced several valid username-password combinations.
- Public-facing services were protected by multi-factor authentication (MFA), which prevented immediate use of these credentials.
2. Exploiting Wi-Fi Network Vulnerabilities
- Gap Exploited: Organization A’s enterprise Wi-Fi network required only a valid domain username and password for access, without MFA.
- Challenge for Attackers: The attackers were geographically distant and could not directly connect to Organization A’s Wi-Fi.
3. Compromising Neighboring Organizations
- Strategy:
- Identified and targeted nearby organizations (Organization B, Organization C) geographically close to Organization A.
- Breached these organizations through:
- Exploiting vulnerable public-facing services.
- Using compromised credentials obtained via brute force or phishing.
- Focused on finding dual-homed systems—devices connected to both wired and Wi-Fi networks.
4. Leveraging Dual-Homed Systems
- Execution:
- Attackers gained control of a dual-homed system within Organization B.
- Used its Wi-Fi adapter to connect to Organization A’s Wi-Fi network, leveraging previously brute-forced credentials.
- Bypassed physical proximity limitations by daisy-chaining through compromised neighboring networks.
5. Gaining Access to Organization A’s Network
- Connection Established: Successfully authenticated into Organization A’s Wi-Fi network.
- Network Penetration:
- Gained access to the internal network.
- Began reconnaissance to locate sensitive data.
6. Privilege Escalation
- Zero-Day Exploitation: Used a privilege escalation vulnerability (CVE-2022-38028) in the Microsoft Windows Print Spooler.
- Persistence Established:
- Deployed tools like servtask.bat to dump sensitive registry hives (SAM, SECURITY, and SYSTEM).
- Used PowerShell scripts to compress and stage data for exfiltration.
7. Lateral Movement and Data Exfiltration
- Objective: Access sensitive Ukraine-related projects and data.
- Techniques:
- Moved laterally across systems to identify valuable data.
- Used living-off-the-land tools to avoid detection (e.g., netsh for port-forwarding, vssadmin for creating shadow copies).
- Exfiltrated data via:
- SMB connections.
- Staging data on public-facing systems for external download.
8. Anti-Forensic Measures
- Covering Tracks:
- Used Windows utility Cipher.exe to securely delete files.
- Removed all artifacts related to tools and scripts after use.
- Minimal malware deployment to evade endpoint detection.
9. Further Intrusions via Guest Wi-Fi
- Post-Detection Activity: After initial remediation by Organization A, attackers pivoted to the guest Wi-Fi network.
- Exploit: Poor segmentation allowed access to internal systems from the guest network.
- Reinfiltration: Attackers regained access to sensitive data before being detected again.
Citation
1. Koessel, S., Adair, S., & Lancaster, T. (2024, November 22). The nearest neighbor attack: How a Russian APT weaponized nearby Wi-Fi networks for covert access. Volexity. https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
2. CrowdStrike. (2019, February 12). Who is FANCY BEAR (APT28)? CrowdStrike. https://www.crowdstrike.com/blog/who-is-fancy-bear/
Awesome research done on this!