Spies hack Wi-Fi networks in far-off land to launch attack on target next door

nzeid

Ars Praetorian
447
Subscriptor
From the Volixity blog:

At this point it would be understandable if you’re thinking this sounds a little far-fetched.

Actually... no. Office/onsite networks are inherently not secure and should never be the basis for access to any internal/organizational resource.

(Edited "local" for clarity.)
 
Last edited:
Upvote
58 (59 / -1)

jamesb2147

Ars Tribunus Militum
1,561
Really it's crazy this isn't more common, which means it probably will become more common at some point.

They didn't do anything crazy. Once they had a target, they look up an office on Google Maps. Find the nearest businesses that pop up on the map or Street View. Search dark web for access brokers offering access to any of those nearby businesses. Access neighbor network, priv-esc, take over WiFi card mgmt, and plug in some creds that were already confirmed via cred stuffing (too many vendors DO effectively distinguish between failed and successful authentications on the user-facing side... this technique demonstrates the very problem with that approach!).

Voila, you are on the target network, authenticated, and on the trusted side. None of that is particularly high effort, requiring APT resources. That's terrifying.
 
Upvote
77 (77 / 0)
Does this mean those all too numerous internet enabled devices are potential threat vectors into not just the local but also neighboring WiFi networks? (And even more so once the device inevitably stops getting security updates)
Yeah, that's exactly what it seems like. Run an office block with dense residential and commercial+residential across (narrow) streets? That might be thousands of not-by-your-policies access points within WiFi range of your network! Yeah, that might be a reason to not assume proximity is security...
 
Upvote
37 (37 / 0)
Post content hidden for low score. Show…

jamesb2147

Ars Tribunus Militum
1,561
Wait, what?

The network in my company’s building should never be used to access my company’s computers?
No, OP posted that they should "never be the basis for access" which means you don't get to access the server just because you plugged into a port or something.

Zero trust means the office internet is treated similarly to your home internet, however that's handled. That's an increasingly popular view of how business access networks/LAN's should be handled, by the way, not some batshit insane thing that only nzeid thinks.

I'm guessing you don't work in cybersecurity.
 
Upvote
101 (107 / -6)

mabman

Seniorius Lurkius
26
From the article:
It turned out credentials for the compromised web services accounts also worked for accounts on the Wi-Fi network, only no 2FA was required.
Forgive me for being dense, but I find the wording here unclear - does this mean the org's AD/LDAP/some other network/file share auth mechanism's accounts were compromised using non-2FA-enabled cracked passwords, or that the org's WiFi network itself was using individual authentication and the Wi-Fi itself was compromised this way, or the overall Wi-Fi passphrase was one of the cracked passwords?
 
Upvote
24 (24 / 0)
Post content hidden for low score. Show…
No, OP posted that they should "never be the basis for access" which means you don't get to access the server just because you plugged into a port or something.

Zero trust means the office internet is treated similarly to your home internet, however that's handled. That's an increasingly popular view of how business access networks/LAN's should be handled, by the way, not some batshit insane thing that only nzeid thinks.

I'm guessing you don't work in cybersecurity.
Kinda goes beyond that once you get past the thankfully fading over-hyped products that were zero trust only in name. It means an organizational network is broken down into different physical subnets that by default do not trust any other subnet any more than it would an untrusted network (similar to how the raw Internet is treated). Further, inside those subnets, each individual device in a zero trust environment does not automatically trust that any other device on that physical subnet is what they are advertised to be, including the router (default-to-deny traffic). They must have an non-transferable identity token, ie: unique cryptographic key, that proves who or what they are. This goes for each user in those organizations as much as each device. This way when you have an unauthorized device appear in a supposedly trusted physical network it can neither authenticate itself nor impersonate an authorized user & device.

Unfortunately, zero trust requires a certain amount of buy-in from the employees. It's easy to say and implement, it's much harder to make individual users understand why this is necessary and not try to usurp the system. There are ways to keep users honest, such as MFA including biometrics and the like. But ultimately it's not about "trust no one" as some have suggested, but rather trust becomes a default-deny-till-authenticated rather than default-allow as in simple networks.
 
Last edited:
Upvote
61 (61 / 0)

ardentsonata

Ars Praetorian
415
Subscriptor++
Upvote
37 (49 / -12)

Ronin_48

Smack-Fu Master, in training
84
Subscriptor
PCI-DSS has a requirement to detect “rogue” Wi-Fi networks, with the risk being something physically plugged into your servers that is sending data. However, even in the more secure data centers, usually you will detect multiple wireless networks with no mechanism to assign them to owners, so for each certification audit, auditors accepted a screenshot from a from with Wi-Fi network browser open. And there was nothing that you can do to block them, so the standard was kind of “let’s put it here to show we considered it, but we don’t expect you do actually do anything”.
 
Upvote
13 (13 / 0)

LexaGrey

Wise, Aged Ars Veteran
100
Subscriptor++
That very last step is what I don’t get. The target WiFi network lets unrelated neighboring devices connect that easily?


This is a nation state level hack using their best zero day resources and not something easy. According to other articles it matched identically to a hack they used to send agents in person to execute. The answer is we do not know exactly what step three is, just that it existed and in this case the IT department depended too much on internal devices being locked down.
 
Upvote
9 (9 / 0)

LexaGrey

Wise, Aged Ars Veteran
100
Subscriptor++
I still think it's time to cut off Russia from our Internet. This story doesn't dissuade me of the merits of doing so.
You would need to redesign the internet from scratch to include personal identification. (Happy endgame for governments and law enforcement). The internet as it is now was fundamentally designed to work around any attempted block automatically.

Even if you attempted to destroy every physical link there would still be wireless point to point set up just for the bad actors.

I will admit that evil seems to be organizing on epic criminal scales, however I personally see the internet as a far greater force of good injecting democratic ideals.

That said the last four chats I got in this silly Isekai life game were trying to recruit for Infinity Kingdom and the like. I presume some mob is getting a kickback from the developers where trafficked people are forced to act like some sort of hostess club girl asking guys to spend money to play with them. Depressing and probably equally destructively sucking money out of the economy. Maybe privacy has to go.
 
Upvote
7 (10 / -3)
I still think it's time to cut off Russia from our Internet. This story doesn't dissuade me of the merits of doing so.
If the aim is to prevent Russian threat actors from operating on the Internet at large, it’s entirely pointless. There’s nothing stopping them from covertly setting up shop in another country and basing their operations from there instead.
 
Upvote
41 (42 / -1)

Trondal

Ars Scholae Palatinae
788
Subscriptor
I will admit that evil seems to be organizing on epic criminal scales, however I personally see the internet as a far greater force of good injecting democratic ideals.
Agree; while I’d love to cut off the Russian government I’d hate to cut off access to non-government sources of information (ie the truth) for everyone else.
 
Upvote
15 (15 / 0)

bobbed

Smack-Fu Master, in training
97
Subscriptor++
I personally see the internet as a far greater force of good injecting democratic ideals.
I’m still of the same opinion, but boy is that becoming harder and harder to say for sure when you add to the equation all the unprecedented scale it brought to inherently anti-democratic echo chambers and weaponized rhetoric.

We’ve all though it was going to lead to a necessarily more informed and less manoeuvrable electorate, but instead, two or three days before the election, a big spike on Google was on searches for “did biden drop out”.
 
Upvote
18 (18 / 0)

djdaedalus

Smack-Fu Master, in training
53
Nothing new. It's been apparent for decades that buildings have to be, to coin a new word, faradayed. I figured that out when I created an ad hoc network between our company laptops at a client who allowed me cable access to the network. The other laptop could as easily have been in the parking lot. The only defense against this and other shenanigans is to wrap the building in a grounded metal mesh, i.e. a Faraday cage. No signals out, none in. Cellular phones will have to be accommodated by an internal repeater (and that's still a vulnerability).

Real problem: lazy, ignorant management.
 
Upvote
-10 (1 / -11)

r0twhylr

Ars Tribunus Militum
2,558
Subscriptor++
From the article:

Forgive me for being dense, but I find the wording here unclear - does this mean the org's AD/LDAP/some other network/file share auth mechanism's accounts were compromised using non-2FA-enabled cracked passwords, or that the org's WiFi network itself was using individual authentication and the Wi-Fi itself was compromised this way, or the overall Wi-Fi passphrase was one of the cracked passwords?
The article is limited based on the info revealed in the source article, and I think Volexity are vague on purpose here.

The accounts attacked did have MFA enabled, but only for remote logins. The GRU used a brute force attack on a web app under control of the target. Their attack didn't gain them access to the web app itself because MFA was enforced. However, once they got access denials because of the 2FA instead of user/password not found, they knew they had good credentials. It also appears that the target used SSO for the web app and its internal network.

Next, they basically went wardriving, but instead of parking outside, they used a zero-day attack on less secure networks nearby, jumping from one neighbor to another, and then attacking the target.

Neither the article nor it's Volexity source explicitly states that they cracked the target's wifi password or how they might have done it.
But there are any number of ways they might have attacked the target wifi directly now that they had a foothold in a neighboring building, and I think that's a more likely scenario than an individual reusing the wifi password as their own password.

The attack still could have been stopped there, but the target's security admins didn't require MFA for on-premises logins.
 
Upvote
24 (24 / 0)

r0twhylr

Ars Tribunus Militum
2,558
Subscriptor++
How is it that a neighbour's device was able to connect to the company's WiFi network? Was there also a security weakness in the WiFi access point? Or did the company use a weak WiFi password?
Unclear, but my guess would be that the neighbor's compromised network was used as a platform to run Wifi attacks first before being used for infiltration/exfiltration.
 
Upvote
8 (8 / 0)

adamsc

Ars Praefectus
3,946
Subscriptor++
Unfortunately, zero trust requires a certain amount of buy-in from the employees. It's easy to say and implement, it's much harder to make individual users understand why this is necessary and not try to usurp the system. There are ways to keep users honest, such as MFA including biometrics and the like. But ultimately it's not about "trust no one" as some have suggested, but rather trust becomes a default-deny-till-authenticated rather than default-allow as in simple networks.

I would focus this from the other direction: IT departments and especially security folks should never lose track of the business being the top priority. People will accept a certain level of inconvenience as a necessary evil but you don’t prioritize usability, it starts to look less like a necessity than indifference – and if you start hearing jokes about the security group’s motto being “if you can do your job, we haven’t done ours” you can bet that there’s a lot of shadow IT (aka the requirements gathering we neglected).

This is also where I think it’s important to remember a lot of enterprise software isn’t more secure, it’s just lousy. Like if I went all in on WebAuthn and ditched all of the cruddy MFA bolt-on junk for a new fleet of Macs using Touch ID, the ChromeOS equivalent, or a few painstakingly-validated Windows Hello devices, the user experience is actually better for being more secure because the biometric check isn’t just phishing-resistant but also much faster.
 
Upvote
21 (21 / 0)

fuzzyfuzzyfungus

Ars Tribunus Angusticlavius
9,780
From the article:

Forgive me for being dense, but I find the wording here unclear - does this mean the org's AD/LDAP/some other network/file share auth mechanism's accounts were compromised using non-2FA-enabled cracked passwords, or that the org's WiFi network itself was using individual authentication and the Wi-Fi itself was compromised this way, or the overall Wi-Fi passphrase was one of the cracked passwords?

It's not entirely clear on whether the 3rd party web service the attacker was trying to connect to was enforcing MFA itself; or if it was one of the (really common) scenarios where an organization with AD accounts will have MFA enforcement tacked on at the AAD or Okta level for AD-synced accounts that need to access various 3rd party things via SAML SSO.

I'm inclined to suspect the latter given that the credentials they were able to obtain were identical to the ones they used for the attack against the wifi; though it could be that they just got lucky with password reuse being pretty common in setups where you have a 3rd party site with company logins that aren't SSO integrated(there's always at least one, and the story about why is always stupid or infuriating, and employees have an obvious incentive to reuse passwords and it's kind of hard to blame them when it really should be SSOed away...)

Regardless, the attackers obtained correct username/password pairs by testing against the web-facing authentication interface; but couldn't pass the MFA challenges; but since the username/password pairs were the same as the on-premises ones, where wifi was set up to be doing username/password authentication (obvious guess is WPA2-enterprise PEAP-MSCHAPv2; just because that's the ubiquitous way you'd do that) without an MFA hit in the loop they were able to use the compromised credentials to connect to the corporate wifi in just the same way that the employees normally did.

It's a terrible idea for other reasons but, ironically, this would be one case where WPA2-PSK would not have been vulnerable, since the PSK would not correspond to a password you could test against some web service somewhere, and the adversary had failed to gain a foothold on any company devices prior to entering the wifi.
 
Upvote
9 (9 / 0)

sleepyox

Wise, Aged Ars Veteran
219
That very last step is what I don’t get. The target WiFi network lets unrelated neighboring devices connect that easily?
According to BleepingComputer they already had the credentials for company X. But I guess VPN products like SSLVPN endpoints will require MFA if you want VPN access. But WiFi enterprise auth method ( 802.1x ) don't usually require 2FA or MFA. Since they were thousands of miles away they just compromised the neighbor's network ( probably via VPN ) and found a dual homed device there ( ie. Laptop with a WiFi adapter ) and used that as a WiFi client to connect to company X.

If that's the case, then requiring laptops with WiFi connections use pre-installed certificates ( or access cards ) instead of usernames and passwords might thwart this type of attack.

The takeaway is that they were on the other side of the world but managed to compromise a company doing Ukrainian work inside the USA.

( which incidentally sounds like a valid target in any theater of war, unlike Israeli software being used by other allied countries to oppress
civilian freedoms of their own populace )
 
Upvote
5 (5 / 0)

Xelas

Ars Praefectus
5,766
Subscriptor++
How many office printers, HVAC devices, security systems and cameras, cellular hotspots (often brought onsite by visitors and vendors) and myriad of other poorly-secured devices are broadcasting a wifi network and have a built in web server. All of these are potential springboards for attacks or for surveillance for attacks into a network due to proximity.
 
Upvote
6 (6 / 0)

BananaBonanza

Ars Scholae Palatinae
767
Subscriptor
If the aim is to prevent Russian threat actors from operating on the Internet at large, it’s entirely pointless. There’s nothing stopping them from covertly setting up shop in another country and basing their operations from there instead.
Relocation wouldn’t even be necessary. The Internet isn’t the only way to transfer data. All they‘d need is a single data line to any place that does have Internet access to bridge the gap. (e.g run a fiber line to China, or use a satellite to anywhere else)
 
Upvote
3 (3 / 0)

NotInMyBasement

Wise, Aged Ars Veteran
139
Subscriptor++
PCI-DSS has a requirement to detect “rogue” Wi-Fi networks, with the risk being something physically plugged into your servers that is sending data. However, even in the more secure data centers, usually you will detect multiple wireless networks with no mechanism to assign them to owners, so for each certification audit, auditors accepted a screenshot from a from with Wi-Fi network browser open. And there was nothing that you can do to block them, so the standard was kind of “let’s put it here to show we considered it, but we don’t expect you do actually do anything”.
In this case I think its a Wi-Fi client connected to two networks, hence "dual homed". So it won't show up on an audit
 
Upvote
2 (2 / 0)