TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Volexity

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

mindgrub · 2024-11-22 · Read original ↗

ATT&CK techniques detected

50 predictions
T1078Valid Accounts
99%
“the street. volexity was able to get in touch with organization b and work with them to investigate this matter further. this is where volexity ultimately uncovered how the attacker was operating, and how the nearest neighbor attack worked. in coordination with organization b, vo…”
T1003.003NTDS
99%
“create a volume shadow copy, e. g., the following : vssadmin create shadow / for c : / quiet retrieve a copy of the ntds. dit file and the system registry hive from the volume shadow copy : copy \? globalrootdeviceharddiskvolumeshadowcopy1windowsntdsntds. dit [ dest ] copy \? glo…”
T1490Inhibit System Recovery
97%
“##e, that ships with every modern version of windows : the following functionality was used to overwrite deleted data in a particular folder : cmd. exe / c cipher / w : c the microsoft documentation describes this in the following way : the effect is that attackers are able to se…”
T1078Valid Accounts
95%
“’ s enterprise wi - fi using credentials they had compromised. a redacted copy of the c # code embedded in the custom powershell script is available here. additional analysis of systems at organization b revealed the intruder had two modes of access to their network. the first wa…”
T1090.003Multi-hop Proxy
94%
“further. in any case, all of these findings gave volexity a full understanding of the attacker ’ s operations and allowed the team to confidently recommend further mitigations and remediation instructions to organization a. at this point the attacker ’ s access was cut off from o…”
T1003.001LSASS Memory
92%
“##ragmentsrv. exe and defragmentsrv. bat, were also written and executed ; that chain ultimately led to the writing and execution of servtask. bat. a file named wayzgoose52. dll was also written to a bogus directory located at c : programdataadobev3. 80. 15456. volexity was keen …”
T1490Inhibit System Recovery
90%
“that attackers are able to securely delete their tools using native windows functionality without bringing a new tool or writing their own code, thus making recovery of attacker tools more difficult for forensic analysts. the attacker in this case was meticulous in their use of t…”
T1068Exploitation for Privilege Escalation
90%
“. attribution initially, volexity was not able to attribute this intrusion to a known threat actor. the attacker was largely using living - off - the - land techniques, and any tooling or ip addresses they used made it difficult for volexity to zero in on a possible culprit. howe…”
T1078Valid Accounts
90%
“service on organization a ’ s network to validate credentials. and while credentials could be validated, they could not be used against organization a ’ s public services due to implementation of multi - factor authentication ( mfa ). the enterprise wi - fi network, however, did …”
T1110.003Password Spraying
86%
“or not. upon examining those logs, volexity found that in january and february, password - spray attacks had been carried out against this service and three accounts had been successfully compromised by an attacker. two of the three accounts identified were those volexity had ide…”
T1090.003Multi-hop Proxy
84%
“was cut off from organization a ’ s enterprise wi - fi, and they have not been observed connecting to this network since then. one final hurrah : the guest wi - fi over a month after the last observed threat actor activity, and following various remediation steps, volexity had ye…”
T1078Valid Accounts
82%
“in the investigation. not long after getting access to the wireless controller, volexity was able to find the ip address of the attacker and tie it to an authenticated domain user and a mac address. armed with this new information, volexity was able to examine organization a ’ s …”
T1068Exploitation for Privilege Escalation
79%
“##ity to zero in on a possible culprit. however, once volexity was able to determine who and what was being targeted internally, it immediately suspected that this was the activity of a russian threat actor, but which one? then, in april 2024, microsoft published research on fore…”
T1078Valid Accounts
78%
“nbns ) queries that revealed its computer name and the active directory domain to which it was joined. this active directory domain revealed exactly where the attacker was connecting from, which turned out to be an organization ( “ organization b ” ) located right across the stre…”
T1078Valid Accounts
75%
“. the first was with credentials that allowed them to connect to their vpn, which was not protected with mfa. volexity also found evidence the attacker had been connecting to organization b ’ s wi - fi from another network that belonged to another nearby organization ( “ organiza…”
T1564.004NTFS File Attributes
73%
“. exe c : programdata [ var ] v % u. % 02u. % 04u these exact file names and paths were observed in the incident investigated by volexity. microsoft ’ s report also showed what commands were in the servtask. bat file, which were identical to what volexity had seen where registry …”
T1621Multi-Factor Authentication Request Generation
73%
“little far - fetched. however, volexity discovered that gruesomelarch was successful in breaching more than one organization within close proximity to organization a. and they were able to find and compromise a dual - homed system at a nearby organization, allowing them to connec…”
T1556.006Multi-Factor Authentication
72%
“little far - fetched. however, volexity discovered that gruesomelarch was successful in breaching more than one organization within close proximity to organization a. and they were able to find and compromise a dual - homed system at a nearby organization, allowing them to connec…”
T1572Protocol Tunneling
72%
“was one system that was accessible from both the wi - fi network and the corporate wired network. armed with the credentials of an account that had not been reset, and the fact that the wi - fi network was not completely isolated, the attacker was able to pivot back into the corp…”
T1078Valid Accounts
70%
“able to examine organization a ’ s radius logs and find authentication events tied to the user and mac address that had just been discovered. this same mac address and user account appeared in older logs overlapping with the initial breach. however, volexity found additional auth…”
T1059.001PowerShell
69%
“##curity c : programdatasecurity. save reg save hklmsystem c : programdatasystem. save powershell - c “ get - childitem c : programdatasam. save, c : programdatasecurity. save, c : programdatasystem. save ^ | compress - archive - destinationpath c : programdataout. zip ” this imm…”
T1078Valid Accounts
69%
“however, did not require mfa and only required a user ’ s valid domain username and password to authenticate. meanwhile, the threat actor was halfway around the world and could not actually connect to organization a ’ s enterprise wi - fi network. to overcome this hurdle, the thr…”
T1090.001Internal Proxy
68%
“was one system that was accessible from both the wi - fi network and the corporate wired network. armed with the credentials of an account that had not been reset, and the fact that the wi - fi network was not completely isolated, the attacker was able to pivot back into the corp…”
T1110.003Password Spraying
67%
“able to examine organization a ’ s radius logs and find authentication events tied to the user and mac address that had just been discovered. this same mac address and user account appeared in older logs overlapping with the initial breach. however, volexity found additional auth…”
T1560.001Archive via Utility
64%
“globalrootdeviceharddiskvolumeshadowcopy1windowsntdsntds. dit [ dest ] copy \? globalrootdeviceharddiskvolumeshadowcopy1windowssystem32configsystem [ dest ] download the copied files. to download the files ( which were fairly large ) the attacker compressed them using a powershel…”
T1090.001Internal Proxy
60%
“pivot back into the corporate wired network and ultimately regain access to the high - value targeted data. to achieve this pivot, the attacker used the windows utility netsh to set up a series of port - forwards that allowed them to reach the target systems. example commands use…”
T1055.001Dynamic-link Library Injection
59%
“##ragmentsrv. exe and defragmentsrv. bat, were also written and executed ; that chain ultimately led to the writing and execution of servtask. bat. a file named wayzgoose52. dll was also written to a bogus directory located at c : programdataadobev3. 80. 15456. volexity was keen …”
T1059.001PowerShell
56%
“not protected by mfa, meaning proximity to the target network and valid credentials were the only requirements to connect. this blog post aims to shed light on the tactics, techniques, and procedures ( ttps ) volexity observed during its incident investigation, and to provide a d…”
T1074.001Local Data Staging
56%
“( edr ) products may naturally detect this behavior as being potentially malicious. however, for additional detection opportunities, organizations can create custom edr signatures to look for a privileged account which exhibits the following : any use of vssadmin. exe copying or …”
T1078Valid Accounts
55%
“or not. upon examining those logs, volexity found that in january and february, password - spray attacks had been carried out against this service and three accounts had been successfully compromised by an attacker. two of the three accounts identified were those volexity had ide…”
T1021Remote Services
46%
“service on organization a ’ s network to validate credentials. and while credentials could be validated, they could not be used against organization a ’ s public services due to implementation of multi - factor authentication ( mfa ). the enterprise wi - fi network, however, did …”
T1021Remote Services
44%
“however, did not require mfa and only required a user ’ s valid domain username and password to authenticate. meanwhile, the threat actor was halfway around the world and could not actually connect to organization a ’ s enterprise wi - fi network. to overcome this hurdle, the thr…”
T1021Remote Services
43%
“the street. volexity was able to get in touch with organization b and work with them to investigate this matter further. this is where volexity ultimately uncovered how the attacker was operating, and how the nearest neighbor attack worked. in coordination with organization b, vo…”
T1204.002Malicious File
41%
“##curity. save, c : programdatasystem. save ^ | compress - archive - destinationpath c : programdataout. zip ” this immediately put the volexity threat detection & response team on high alert, as they could see sensitive registry hives were being exported and compressed into a zi…”
T1572Protocol Tunneling
40%
“pivot back into the corporate wired network and ultimately regain access to the high - value targeted data. to achieve this pivot, the attacker used the windows utility netsh to set up a series of port - forwards that allowed them to reach the target systems. example commands use…”
T1110.003Password Spraying
38%
“in the investigation. not long after getting access to the wireless controller, volexity was able to find the ip address of the attacker and tie it to an authenticated domain user and a mac address. armed with this new information, volexity was able to examine organization a ’ s …”
T1021.001Remote Desktop Protocol
38%
“was one system that was accessible from both the wi - fi network and the corporate wired network. armed with the credentials of an account that had not been reset, and the fact that the wi - fi network was not completely isolated, the attacker was able to pivot back into the corp…”
T1556.006Multi-Factor Authentication
38%
“a ’ s enterprise wi - fi and authenticate to it, thus granting them access to organization a ’ s network. the anatomy of the nearest neighbor attack is shown below. at this point it would be understandable if you ’ re thinking this sounds a little far - fetched. however, volexity…”
T1070.004File Deletion
36%
“that attackers are able to securely delete their tools using native windows functionality without bringing a new tool or writing their own code, thus making recovery of attacker tools more difficult for forensic analysts. the attacker in this case was meticulous in their use of t…”
T1021Remote Services
36%
“than other resources, such as email or vpn. in this case, an attacker figured out how to abuse these controls, even though they were far beyond their geographic reach, using the following workflow : compromise an organization in the physical geographic vicinity of their target. f…”
T1564.004NTFS File Attributes
35%
“not protected by mfa, meaning proximity to the target network and valid credentials were the only requirements to connect. this blog post aims to shed light on the tactics, techniques, and procedures ( ttps ) volexity observed during its incident investigation, and to provide a d…”
T1074.001Local Data Staging
35%
“globalrootdeviceharddiskvolumeshadowcopy1windowsntdsntds. dit [ dest ] copy \? globalrootdeviceharddiskvolumeshadowcopy1windowssystem32configsystem [ dest ] download the copied files. to download the files ( which were fairly large ) the attacker compressed them using a powershel…”
T1090.002External Proxy
35%
“was cut off from organization a ’ s enterprise wi - fi, and they have not been observed connecting to this network since then. one final hurrah : the guest wi - fi over a month after the last observed threat actor activity, and following various remediation steps, volexity had ye…”
T1055.001Dynamic-link Library Injection
34%
“##ity found that the attacker was connecting in this time from organization c. volexity again contacted organization c and also worked with organization a to take new remediation steps to resolve this new intrusion. since this final activity related to the guest wi - fi network, …”
T1110.003Password Spraying
34%
“projects actively involving ukraine. the month - and - a - half long investigation revealed that gruesomelarch was able to ultimately breach organization a ’ s network by connecting to their enterprise wi - fi network. the threat actor accomplished this by daisy - chaining their …”
T1560.001Archive via Utility
33%
“##curity. save, c : programdatasystem. save ^ | compress - archive - destinationpath c : programdataout. zip ” this immediately put the volexity threat detection & response team on high alert, as they could see sensitive registry hives were being exported and compressed into a zi…”
T1074Data Staged
32%
“or moving of files from the volumeshadowcopy directories powershell commands indicating in - line compression of files staging data for exfiltration the majority of the data from this incident was copied back to the attacker ’ s system, which was connected to the wi - fi. however…”
T1074Data Staged
31%
“( edr ) products may naturally detect this behavior as being potentially malicious. however, for additional detection opportunities, organizations can create custom edr signatures to look for a privileged account which exhibits the following : any use of vssadmin. exe copying or …”
T1021Remote Services
31%
“nbns ) queries that revealed its computer name and the active directory domain to which it was joined. this active directory domain revealed exactly where the attacker was connecting from, which turned out to be an organization ( “ organization b ” ) located right across the stre…”
T1087.002Domain Account
30%
“attacker resurfaced. when the attacker returned, volexity was able to get some answers. volexity learned the ip address segment the attacker was coming from was associated with organization a ’ s enterprise wi - fi network, and one of the domain controllers on the network acted a…”

Summary

In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had […]

The post The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access appeared first on Volexity.