“Nearest Neighbor Attack” finally lets Russia’s Fancy Bear into target’s Wi-Fi network.
See full article...
See full article...
At this point it would be understandable if you’re thinking this sounds a little far-fetched.
Yeah, that's exactly what it seems like. Run an office block with dense residential and commercial+residential across (narrow) streets? That might be thousands of not-by-your-policies access points within WiFi range of your network! Yeah, that might be a reason to not assume proximity is security...Does this mean those all too numerous internet enabled devices are potential threat vectors into not just the local but also neighboring WiFi networks? (And even more so once the device inevitably stops getting security updates)
No, OP posted that they should "never be the basis for access" which means you don't get to access the server just because you plugged into a port or something.Wait, what?
The network in my company’s building should never be used to access my company’s computers?
Forgive me for being dense, but I find the wording here unclear - does this mean the org's AD/LDAP/some other network/file share auth mechanism's accounts were compromised using non-2FA-enabled cracked passwords, or that the org's WiFi network itself was using individual authentication and the Wi-Fi itself was compromised this way, or the overall Wi-Fi passphrase was one of the cracked passwords?It turned out credentials for the compromised web services accounts also worked for accounts on the Wi-Fi network, only no 2FA was required.
Kinda goes beyond that once you get past the thankfully fading over-hyped products that were zero trust only in name. It means an organizational network is broken down into different physical subnets that by default do not trust any other subnet any more than it would an untrusted network (similar to how the raw Internet is treated). Further, inside those subnets, each individual device in a zero trust environment does not automatically trust that any other device on that physical subnet is what they are advertised to be, including the router (default-to-deny traffic). They must have an non-transferable identity token, ie: unique cryptographic key, that proves who or what they are. This goes for each user in those organizations as much as each device. This way when you have an unauthorized device appear in a supposedly trusted physical network it can neither authenticate itself nor impersonate an authorized user & device.No, OP posted that they should "never be the basis for access" which means you don't get to access the server just because you plugged into a port or something.
Zero trust means the office internet is treated similarly to your home internet, however that's handled. That's an increasingly popular view of how business access networks/LAN's should be handled, by the way, not some batshit insane thing that only nzeid thinks.
I'm guessing you don't work in cybersecurity.
No need, just enter WiFi network.How long until we see drones opening windows, flying in and plugging in USB or Ethernet?
This is insufficient. We'd also need to cut off Israel from the internet which isn't likely to happen.I still think it's time to cut off Russia from our Internet. This story doesn't dissuade me of the merits of doing so.
We have state sponsored hackers in the west too.I still think it's time to cut off Russia from our Internet. This story doesn't dissuade me of the merits of doing so.
That very last step is what I don’t get. The target WiFi network lets unrelated neighboring devices connect that easily?
You would need to redesign the internet from scratch to include personal identification. (Happy endgame for governments and law enforcement). The internet as it is now was fundamentally designed to work around any attempted block automatically.I still think it's time to cut off Russia from our Internet. This story doesn't dissuade me of the merits of doing so.
Wasn’t that in a movie already?How long until we see drones opening windows, flying in and plugging in USB or Ethernet?
If the aim is to prevent Russian threat actors from operating on the Internet at large, it’s entirely pointless. There’s nothing stopping them from covertly setting up shop in another country and basing their operations from there instead.I still think it's time to cut off Russia from our Internet. This story doesn't dissuade me of the merits of doing so.
Agree; while I’d love to cut off the Russian government I’d hate to cut off access to non-government sources of information (ie the truth) for everyone else.I will admit that evil seems to be organizing on epic criminal scales, however I personally see the internet as a far greater force of good injecting democratic ideals.
No...I'm guessing he forgot what I thought was an obvious /SI'm guessing you don't work in cybersecurity.
Who's to say it's never happened?How long until we see drones opening windows, flying in and plugging in USB or Ethernet?
I’m still of the same opinion, but boy is that becoming harder and harder to say for sure when you add to the equation all the unprecedented scale it brought to inherently anti-democratic echo chambers and weaponized rhetoric.I personally see the internet as a far greater force of good injecting democratic ideals.
The article is limited based on the info revealed in the source article, and I think Volexity are vague on purpose here.From the article:
Forgive me for being dense, but I find the wording here unclear - does this mean the org's AD/LDAP/some other network/file share auth mechanism's accounts were compromised using non-2FA-enabled cracked passwords, or that the org's WiFi network itself was using individual authentication and the Wi-Fi itself was compromised this way, or the overall Wi-Fi passphrase was one of the cracked passwords?
But there are any number of ways they might have attacked the target wifi directly now that they had a foothold in a neighboring building, and I think that's a more likely scenario than an individual reusing the wifi password as their own password.
Unclear, but my guess would be that the neighbor's compromised network was used as a platform to run Wifi attacks first before being used for infiltration/exfiltration.How is it that a neighbour's device was able to connect to the company's WiFi network? Was there also a security weakness in the WiFi access point? Or did the company use a weak WiFi password?
Unfortunately, zero trust requires a certain amount of buy-in from the employees. It's easy to say and implement, it's much harder to make individual users understand why this is necessary and not try to usurp the system. There are ways to keep users honest, such as MFA including biometrics and the like. But ultimately it's not about "trust no one" as some have suggested, but rather trust becomes a default-deny-till-authenticated rather than default-allow as in simple networks.
From the article:
Forgive me for being dense, but I find the wording here unclear - does this mean the org's AD/LDAP/some other network/file share auth mechanism's accounts were compromised using non-2FA-enabled cracked passwords, or that the org's WiFi network itself was using individual authentication and the Wi-Fi itself was compromised this way, or the overall Wi-Fi passphrase was one of the cracked passwords?
According to BleepingComputer they already had the credentials for company X. But I guess VPN products like SSLVPN endpoints will require MFA if you want VPN access. But WiFi enterprise auth method ( 802.1x ) don't usually require 2FA or MFA. Since they were thousands of miles away they just compromised the neighbor's network ( probably via VPN ) and found a dual homed device there ( ie. Laptop with a WiFi adapter ) and used that as a WiFi client to connect to company X.That very last step is what I don’t get. The target WiFi network lets unrelated neighboring devices connect that easily?
Relocation wouldn’t even be necessary. The Internet isn’t the only way to transfer data. All they‘d need is a single data line to any place that does have Internet access to bridge the gap. (e.g run a fiber line to China, or use a satellite to anywhere else)If the aim is to prevent Russian threat actors from operating on the Internet at large, it’s entirely pointless. There’s nothing stopping them from covertly setting up shop in another country and basing their operations from there instead.
In this case I think its a Wi-Fi client connected to two networks, hence "dual homed". So it won't show up on an auditPCI-DSS has a requirement to detect “rogue” Wi-Fi networks, with the risk being something physically plugged into your servers that is sending data. However, even in the more secure data centers, usually you will detect multiple wireless networks with no mechanism to assign them to owners, so for each certification audit, auditors accepted a screenshot from a from with Wi-Fi network browser open. And there was nothing that you can do to block them, so the standard was kind of “let’s put it here to show we considered it, but we don’t expect you do actually do anything”.