“Nearest Neighbor Attack” finally lets Russia’s Fancy Bear into target’s Wi-Fi network.
See full article...
See full article...
Spies hack Wi-Fi networks in far-off land to launch attack on target next door
- Thread starter JournalBot
- Start date
From the Volixity blog:
Actually... no. Office/onsite networks are inherently not secure and should never be the basis for access to any internal/organizational resource.
(Edited "local" for clarity.)
Actually... no. Office/onsite networks are inherently not secure and should never be the basis for access to any internal/organizational resource.
(Edited "local" for clarity.)
Last edited:
Upvote
36
(37
/
-1)
- Add bookmark
- Featured
- #3
I don't think we're cool enough to be worth the trouble; but there's another incentive to swap out MSCHAPv2 and get certs in place....
With the more banal reason being that MS is not getting any less shy about Credential Guard moving toward breaking PEAP-MSCHAPv2.
With the more banal reason being that MS is not getting any less shy about Credential Guard moving toward breaking PEAP-MSCHAPv2.
Upvote
21
(21
/
0)
Does this mean those all too numerous internet enabled devices are potential threat vectors into not just the local but also neighboring WiFi networks? (And even more so once the device inevitably stops getting security updates)
Upvote
58
(58
/
0)
Really it's crazy this isn't more common, which means it probably will become more common at some point.
They didn't do anything crazy. Once they had a target, they look up an office on Google Maps. Find the nearest businesses that pop up on the map or Street View. Search dark web for access brokers offering access to any of those nearby businesses. Access neighbor network, priv-esc, take over WiFi card mgmt, and plug in some creds that were already confirmed via cred stuffing (too many vendors DO effectively distinguish between failed and successful authentications on the user-facing side... this technique demonstrates the very problem with that approach!).
Voila, you are on the target network, authenticated, and on the trusted side. None of that is particularly high effort, requiring APT resources. That's terrifying.
They didn't do anything crazy. Once they had a target, they look up an office on Google Maps. Find the nearest businesses that pop up on the map or Street View. Search dark web for access brokers offering access to any of those nearby businesses. Access neighbor network, priv-esc, take over WiFi card mgmt, and plug in some creds that were already confirmed via cred stuffing (too many vendors DO effectively distinguish between failed and successful authentications on the user-facing side... this technique demonstrates the very problem with that approach!).
Voila, you are on the target network, authenticated, and on the trusted side. None of that is particularly high effort, requiring APT resources. That's terrifying.
Upvote
43
(43
/
0)
Yeah, that's exactly what it seems like. Run an office block with dense residential and commercial+residential across (narrow) streets? That might be thousands of not-by-your-policies access points within WiFi range of your network! Yeah, that might be a reason to not assume proximity is security...
Upvote
19
(19
/
0)
I still think it's time to cut off Russia from our Internet. This story doesn't dissuade me of the merits of doing so.
Upvote
31
(46
/
-15)
Wait, what?
The network in my company’s building should never be used to access my company’s computers?
Upvote
-13
(6
/
-19)
No, OP posted that they should "never be the basis for access" which means you don't get to access the server just because you plugged into a port or something.
Zero trust means the office internet is treated similarly to your home internet, however that's handled. That's an increasingly popular view of how business access networks/LAN's should be handled, by the way, not some batshit insane thing that only nzeid thinks.
I'm guessing you don't work in cybersecurity.
Upvote
66
(70
/
-4)
From the article:
Forgive me for being dense, but I find the wording here unclear - does this mean the org's AD/LDAP/some other network/file share auth mechanism's accounts were compromised using non-2FA-enabled cracked passwords, or that the org's WiFi network itself was using individual authentication and the Wi-Fi itself was compromised this way, or the overall Wi-Fi passphrase was one of the cracked passwords?
Upvote
14
(14
/
0)
Kinda goes beyond that once you get past the thankfully fading over-hyped products that were zero trust only in name. It means an organizational network is broken down into different physical subnets that by default do not trust any other subnet any more than it would an untrusted network (similar to how the raw Internet is treated). Further, inside those subnets, each individual device in a zero trust environment does not automatically trust that any other device on that physical subnet is what they are advertised to be, including the router (default-to-deny traffic). They must have an non-transferable identity token, ie: unique cryptographic key, that proves who or what they are. This goes for each user in those organizations as much as each device. This way when you have an unauthorized device appear in a supposedly trusted physical network it can neither authenticate itself nor impersonate an authorized user & device.
Unfortunately, zero trust requires a certain amount of buy-in from the employees. It's easy to say and implement, it's much harder to make individual users understand why this is necessary and not try to usurp the system. There are ways to keep users honest, such as MFA including biometrics and the like. But ultimately it's not about "trust no one" as some have suggested, but rather trust becomes a default-deny-till-authenticated rather than default-allow as in simple networks.
Last edited:
Upvote
30
(30
/
0)
How long until we see drones opening windows, flying in and plugging in USB or Ethernet?
Upvote
32
(33
/
-1)
This is insufficient. We'd also need to cut off Israel from the internet which isn't likely to happen.
What we need are zero-trust networks to be the default for any thing that might be important. It is possible, Google has done it with their BeyondCorp initiatives.
Upvote
24
(31
/
-7)
PCI-DSS has a requirement to detect “rogue” Wi-Fi networks, with the risk being something physically plugged into your servers that is sending data. However, even in the more secure data centers, usually you will detect multiple wireless networks with no mechanism to assign them to owners, so for each certification audit, auditors accepted a screenshot from a from with Wi-Fi network browser open. And there was nothing that you can do to block them, so the standard was kind of “let’s put it here to show we considered it, but we don’t expect you do actually do anything”.
Upvote
8
(8
/
0)
That very last step is what I don’t get. The target WiFi network lets unrelated neighboring devices connect that easily?
Upvote
14
(14
/
0)
Upvote
14
(15
/
-1)
This is a nation state level hack using their best zero day resources and not something easy. According to other articles it matched identically to a hack they used to send agents in person to execute. The answer is we do not know exactly what step three is, just that it existed and in this case the IT department depended too much on internal devices being locked down.
Upvote
2
(2
/
0)
You would need to redesign the internet from scratch to include personal identification. (Happy endgame for governments and law enforcement). The internet as it is now was fundamentally designed to work around any attempted block automatically.
Even if you attempted to destroy every physical link there would still be wireless point to point set up just for the bad actors.
I will admit that evil seems to be organizing on epic criminal scales, however I personally see the internet as a far greater force of good injecting democratic ideals.
That said the last four chats I got in this silly Isekai life game were trying to recruit for Infinity Kingdom and the like. I presume some mob is getting a kickback from the developers where trafficked people are forced to act like some sort of hostess club girl asking guys to spend money to play with them. Depressing and probably equally destructively sucking money out of the economy. Maybe privacy has to go.
Upvote
4
(7
/
-3)
If the aim is to prevent Russian threat actors from operating on the Internet at large, it’s entirely pointless. There’s nothing stopping them from covertly setting up shop in another country and basing their operations from there instead.
Upvote
18
(19
/
-1)
Agree; while I’d love to cut off the Russian government I’d hate to cut off access to non-government sources of information (ie the truth) for everyone else.
Upvote
6
(6
/
0)
Upvote
0
(0
/
0)
Who's to say it's never happened?
A lot of the time you hear about these things in memoirs or when people get caught.
Upvote
0
(0
/
0)
I’m still of the same opinion, but boy is that becoming harder and harder to say for sure when you add to the equation all the unprecedented scale it brought to inherently anti-democratic echo chambers and weaponized rhetoric.
We’ve all though it was going to lead to a necessarily more informed and less manoeuvrable electorate, but instead, two or three days before the election, a big spike on Google was on searches for “did biden drop out”.
Upvote
8
(8
/
0)
Dan, there’s a “Volixity” at the end there where I think you meant to write “Volexity”.
Upvote
0
(0
/
0)
Nothing new. It's been apparent for decades that buildings have to be, to coin a new word, faradayed. I figured that out when I created an ad hoc network between our company laptops at a client who allowed me cable access to the network. The other laptop could as easily have been in the parking lot. The only defense against this and other shenanigans is to wrap the building in a grounded metal mesh, i.e. a Faraday cage. No signals out, none in. Cellular phones will have to be accommodated by an internal repeater (and that's still a vulnerability).
Real problem: lazy, ignorant management.
Real problem: lazy, ignorant management.
Upvote
-5
(0
/
-5)
How is it that a neighbour's device was able to connect to the company's WiFi network? Was there also a security weakness in the WiFi access point? Or did the company use a weak WiFi password?
Upvote
5
(6
/
-1)
The article is limited based on the info revealed in the source article, and I think Volexity are vague on purpose here.
The accounts attacked did have MFA enabled, but only for remote logins. The GRU used a brute force attack on a web app under control of the target. Their attack didn't gain them access to the web app itself because MFA was enforced. However, once they got access denials because of the 2FA instead of user/password not found, they knew they had good credentials. It also appears that the target used SSO for the web app and its internal network.
Next, they basically went wardriving, but instead of parking outside, they used a zero-day attack on less secure networks nearby, jumping from one neighbor to another, and then attacking the target.
Neither the article nor it's Volexity source explicitly states that they cracked the target's wifi password or how they might have done it.
But there are any number of ways they might have attacked the target wifi directly now that they had a foothold in a neighboring building, and I think that's a more likely scenario than an individual reusing the wifi password as their own password.
The attack still could have been stopped there, but the target's security admins didn't require MFA for on-premises logins.
Upvote
11
(11
/
0)
Unclear, but my guess would be that the neighbor's compromised network was used as a platform to run Wifi attacks first before being used for infiltration/exfiltration.
Upvote
4
(4
/
0)
I would focus this from the other direction: IT departments and especially security folks should never lose track of the business being the top priority. People will accept a certain level of inconvenience as a necessary evil but you don’t prioritize usability, it starts to look less like a necessity than indifference – and if you start hearing jokes about the security group’s motto being “if you can do your job, we haven’t done ours” you can bet that there’s a lot of shadow IT (aka the requirements gathering we neglected).
This is also where I think it’s important to remember a lot of enterprise software isn’t more secure, it’s just lousy. Like if I went all in on WebAuthn and ditched all of the cruddy MFA bolt-on junk for a new fleet of Macs using Touch ID, the ChromeOS equivalent, or a few painstakingly-validated Windows Hello devices, the user experience is actually better for being more secure because the biometric check isn’t just phishing-resistant but also much faster.
Upvote
11
(11
/
0)
It's not entirely clear on whether the 3rd party web service the attacker was trying to connect to was enforcing MFA itself; or if it was one of the (really common) scenarios where an organization with AD accounts will have MFA enforcement tacked on at the AAD or Okta level for AD-synced accounts that need to access various 3rd party things via SAML SSO.
I'm inclined to suspect the latter given that the credentials they were able to obtain were identical to the ones they used for the attack against the wifi; though it could be that they just got lucky with password reuse being pretty common in setups where you have a 3rd party site with company logins that aren't SSO integrated(there's always at least one, and the story about why is always stupid or infuriating, and employees have an obvious incentive to reuse passwords and it's kind of hard to blame them when it really should be SSOed away...)
Regardless, the attackers obtained correct username/password pairs by testing against the web-facing authentication interface; but couldn't pass the MFA challenges; but since the username/password pairs were the same as the on-premises ones, where wifi was set up to be doing username/password authentication (obvious guess is WPA2-enterprise PEAP-MSCHAPv2; just because that's the ubiquitous way you'd do that) without an MFA hit in the loop they were able to use the compromised credentials to connect to the corporate wifi in just the same way that the employees normally did.
It's a terrible idea for other reasons but, ironically, this would be one case where WPA2-PSK would not have been vulnerable, since the PSK would not correspond to a password you could test against some web service somewhere, and the adversary had failed to gain a foothold on any company devices prior to entering the wifi.
Upvote
5
(5
/
0)
According to BleepingComputer they already had the credentials for company X. But I guess VPN products like SSLVPN endpoints will require MFA if you want VPN access. But WiFi enterprise auth method ( 802.1x ) don't usually require 2FA or MFA. Since they were thousands of miles away they just compromised the neighbor's network ( probably via VPN ) and found a dual homed device there ( ie. Laptop with a WiFi adapter ) and used that as a WiFi client to connect to company X.
If that's the case, then requiring laptops with WiFi connections use pre-installed certificates ( or access cards ) instead of usernames and passwords might thwart this type of attack.
The takeaway is that they were on the other side of the world but managed to compromise a company doing Ukrainian work inside the USA.
( which incidentally sounds like a valid target in any theater of war, unlike Israeli software being used by other allied countries to oppress
civilian freedoms of their own populace )
Upvote
2
(2
/
0)
How many office printers, HVAC devices, security systems and cameras, cellular hotspots (often brought onsite by visitors and vendors) and myriad of other poorly-secured devices are broadcasting a wifi network and have a built in web server. All of these are potential springboards for attacks or for surveillance for attacks into a network due to proximity.
Upvote
3
(3
/
0)
Relocation wouldn’t even be necessary. The Internet isn’t the only way to transfer data. All they‘d need is a single data line to any place that does have Internet access to bridge the gap. (e.g run a fiber line to China, or use a satellite to anywhere else)
Upvote
0
(0
/
0)
In this case I think its a Wi-Fi client connected to two networks, hence "dual homed". So it won't show up on an audit
Upvote
0
(0
/
0)