Nearest Neighbor Attack: Russian Spies Use New Technique

Recent media reports have cited a cybersecurity firm, Volexity, claiming that Russian spies have used an unprecedented attack technique. What is now being dubbed the nearest neighbor attack exploits nearby Wi-Fi networks and leverages them for covert access. In this article, we’ll cover how the threat actor leverages the network, different stages of the nearest neighbor attack, and risk mitigation protocols that can be used for enhancing protection. Let’s begin!

Nearest Neighbor Attack: Initial Discovery

The initial discovery of the nearest neighbor attack dates back to February 2022 when Volexity encountered a custom detection signature from a customer site. The signal indicated that a server on the customer’s network had been compromised. During the investigation, it was discovered a skilled and motivated advanced persistent threat (APT) actor.

As per the reports, the threat actor was leveraging a novel attack vector that Volexity had not been exposed to prior to this incident. After the investigation had concluded, it was disclosed that the entity behind the attack was a Russian threat actor tracked as GruesomeLarch. The threat actor is publicly known as:  

• APT28.
• Forest Blizzard.
• Sofacy. 
• Fancy Bear.

In addition, it was also determined that the nearest neighbor attack threat actor had targeted the organization for collecting data from individuals who had expertise and involvement with projects pertaining to Ukraine. The APT actor breached the target organization’s network by connecting to their enterprise Wi-Fi network. Providing valuable insights, experts stated that:  

“The threat actor accomplished this by daisy-chaining their approach to compromise multiple organizations in close proximity to their intended target, Organization A. This was done by a threat actor who was thousands of miles away and an ocean apart from the victim. Volexity is unaware of any terminology describing this style of attack and has dubbed it the Nearest Neighbor Attack.”

GRU Wi-Fi Breach Details

Despite the obvious distance, the threat actor was able to authenticate to the target organization’s network by acquiring valid credentials. To acquire such credentials, a public-facing service on the organization’s network was targeted with password-spray attacks. It’s worth noting that the service was used for credential validation. 

A key factor here is that the incident may have been avoided had the organization used multi-factor authentication (MFA). However, it only required a user’s valid domain username and password for authentication. To tackle the geographical distance, the hacker first compromised other organizations in buildings close to the target, hence the name – nearest neighbor attack.

Experts from Volexity, while providing insights, stated that the hacker’s strategy was:  

“To breach another organization, and then move laterally within that organization to find systems they could access that were dual-homed. Once successful in this endeavor, having found a system that was connected to the network via a wired Ethernet connection, the threat actor would access the system and use its Wi-Fi adapter.”

After gaining access to the targeted system, the nearest neighbor attack hacker connected to the SSID of the organization’s enterprise Wi-Fi. This not only ensured authentication but also allowed the Russian spy hacker to have access to the network. 

Having a hacker compromise one organization and then performing credential-stuffing attacks to compromise other organizations in close proximity to it by using their Wi-Fi networks is a new class of attack. Such a tactic was successful due to the absence of MFA, meaning that valid credentials and close proximity were the only requirements that the hacker had to meet for developing a connection which would later be exploited.  

Threat Actor’s Activities After The Breach 

After receiving an alert pertaining to the nearest neighbor attack, security experts started to look for files being written to and executed out of the root of the “C:\ProgramData directory.” As a result, the hacker activities that were discovered include: 

• A file named “C:\ProgramData\servtask.bat” being written and executed.
• A file named “servtask.bat” invoking the Microsoft command-line registry utility and PowerShell for running multiple commands that included:
  • reg save hklm\sam C:\ProgramData\sam.save
  • reg save hklm\security C:\ProgramData\security.save
  • reg save hklm\system C:\ProgramData\system.save
  • Powershell -c “Get-ChildItem C:\ProgramData\sam.save, C:\ProgramData\security.save, C:\ProgramData\system.save ^| Compress-Archive -DestinationPath C:\ProgramData\out.zip”

Given that sensitive registry hives had been exported and compressed into a ZIP file, the security team began to examine the EDR event history, system memory, and key disk attributes. This revealed the following:  

• A login coming from an unprivileged user account on the server had occurred over RDP.
• A file named “DefragmentSrv.zip” was present on the system in that user’s directory and was also unarchived via the GUI version of WinRAR on the system.
• Two files named “DefragmentSrv.exe” and “DefragmentSrv.bat” had also been written and executed which ultimately led to the “servtask.bat” being written and executed. 
• A file named “wayzgoose52.dll” has also been written to a bogus directory that was located at “C:\ProgramData\Adobe\v3.80.15456.”

Providing further insights about the nearest neighbor attack activities, experts stated that:

“The attacker had run a native Microsoft utility called Cipher.exe, which covered their tracks by securely erasing the files. While this is not the first time Volexity has encountered an attacker covering their tracks with anti-forensics methods, it is the first time Volexity had seen it done with the Cipher.exe utility.”

Mitigation Measure Against Russian Military Hackers

While the investigation was ongoing, Volexity worked with the compromised organization and took various initiatives for attack mitigation and prevention. Some of these initiatives include implementing countermeasures and improving areas where logging and network visibility were not previously present. 

As a result of these protocols, the security experts were able to gain a more in-depth comprehension of nearest neighbor attack. Even though their credentials had been reset, the nearest neighbor attack hacker once again acquired access to the organization’s enterprise Wi-Fi. 

However, the logging and network visibility protocols which had been deployed during the investigation ensured the experts could launch a full packet capture from all activities involving the Wi-Fi-connected systems. Commenting on what was contained within the captured package, experts stated that: 

“Analysis of this packet capture revealed the attacker’s system had sent out NetBIOS Name Service (NBNS) queries that revealed its computer name and the active directory domain to which it was joined. This active directory domain revealed exactly where the attacker was connecting from, which turned out to be an organization (“Organization B”) located right across the street.”

Further insights revealed that a majority of the data from the incident had been copied back to the attacker’s system. However, in some cases, the nearest neighbor attack hacker had staged data in directories on a public-facing web server and the files were then exfiltrated using external downloads. 

It’s worth noting that this is a common technique used by attackers in various types of breaches. Monitoring protocols for the activity can be difficult. But, opportunities are available if the unexpected files on web servers or large file transfers can be monitored. Ensuring the proper functionality of weblogs can also aid in identifying such activities. 

Conclusion 

The nearest neighbor attack represents a chilling evolution in cyber espionage, blending proximity-based breaches with sophisticated credential theft and anti-forensics tactics. Exploiting weaknesses like the absence of MFA and leveraging nearby networks, hackers like APT28 demonstrate how advanced threats can target sensitive data with precision. 

Organizations must adopt robust countermeasures, including multi-factor authentication, enhanced network visibility, and thorough log analysis, to mitigate risks. Vigilance against novel techniques like these is crucial as cyber threats continue to evolve, pushing the boundaries of traditional security defenses.

The sources for this piece include articles in Wired and Volexity.