The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

Summary:
The Nearest Neighbor Attack, utilized by the Russian APT GruesomeLarch, showcases a novel method of breaching networks by exploiting nearby Wi-Fi connections. This attack involved compromising organizations in close proximity to the target and leveraging valid credentials to gain unauthorized access. The investigation revealed the complexities of this technique and emphasized the need for enhanced security measures for Wi-Fi networks.
#NearestNeighborAttack #GruesomeLarch #WiFiSecurity

Keypoints:

  • GruesomeLarch targeted Ukrainian-related projects just before the Russian invasion of Ukraine.
  • The attack utilized living-off-the-land techniques and a zero-day privilege escalation.
  • The Nearest Neighbor Attack involved compromising nearby organizations to gain access to the target’s Wi-Fi network.
  • Valid credentials were obtained through password-spray attacks on a public-facing service.
  • Multi-factor authentication (MFA) was implemented for public services but not for the Wi-Fi network.
  • The attacker used a dual-homed system to connect to the target’s network from a compromised organization.
  • Volexity’s investigation revealed the attacker used native Windows tools to cover their tracks.
  • Remediation steps were taken to enhance security and prevent further access by the attacker.
  • The attacker managed to regain access through the Guest Wi-Fi network after initial remediation efforts.
  • Recommendations for organizations include monitoring for anomalous use of certain utilities and hardening Wi-Fi access controls.

  • MITRE Techniques

  • Credential Dumping (T1003): The attacker exported sensitive registry hives to obtain credentials.
  • Exploitation of Remote Services (T1210): The attacker used RDP to connect to compromised systems.
  • Network Sniffing (T1040): The attacker monitored network traffic to identify available Wi-Fi networks.
  • Brute Force (T1110): Password-spray attacks were conducted to validate credentials.
  • Data Encrypted for Impact (T1486): The attacker used Cipher.exe to securely delete files and cover tracks.
  • Access Token Manipulation (T1134): The attacker used valid credentials to authenticate to the target network.

  • IoC:

  • [file name] servtask.bat
  • [file name] DefragmentSrv.zip
  • [file name] DefragmentSrv.exe
  • [file name] wayzgoose52.dll
  • [file name] out.zip
  • [file hash] C:ProgramDatasam.save
  • [file hash] C:ProgramDatasecurity.save
  • [file hash] C:ProgramDatasystem.save
  • [file hash] C:WindowsTempMSI28122Ac.LOG
  • [file hash] C:WindowsTempMSI2cBfA24.LOG
  • [IP address] 172.33.xx.xx
  • [IP address] 172.20.xx.xx


  • Full Research: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/