compromised Wi-Fi Spies hack Wi-Fi networks in far-off land to launch attack on target next door Nearest Neighbor Attack finally lets Russias Fancy Bear into targets Wi-Fi network. Dan Goodin Nov 22, 2024 9:03 pm | 39 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreOne of 2024's coolest hacking tales occurred two years ago, but it wasn't revealed to the public until Friday at the Cyberwarcon conference in Arlington, Virginia. Hackers with ties to Fancy Bearthe spy agency operated by Russias GRUbroke into the network of a high-value target after first compromising a Wi-Fi-enabled device in a nearby building and using it to exploit compromised accounts on the targets Wi-Fi network.The attack, from a group security firm Volexity calls GruesomeLarch, shows the boundless lengths well-resourced hackers will take to hack high-value targets, presumably only after earlier hack attempts havent worked. When the GruesomeLarch cabal couldnt get into the target network using easier methods, they hacked a Wi-Fi-enabled device in a nearby building and used it to breach the targets network next door. After the first neighbors network was disinfected, the hackers successfully performed the same attack on a device of a second neighbor.Too close for comfortThis is a fascinating attack where a foreign adversary essentially conducted a close access operation while being physically quite far away, Steven Adair, a researcher and the president of Volexity, wrote in an email. They were able to launch an attack that historically had required being in close proximity to the target but found a way to conduct it in a way which completely eliminated the risk of them being caught in the real world.While stalking its target, GruesomeLarch performed credential-stuffing attacks that compromised the passwords of several accounts on a web service platform used by the organization's employees. Two-factor authentication enforced on the platform, however, prevented the attackers from compromising the accounts.So GruesomeLarch found devices in physically adjacent locations, compromised them, and used them to probe the targets Wi-Fi network. It turned out credentials for the compromised web services accounts also worked for accounts on the Wi-Fi network, only no 2FA was required.Adding further flourish, the attackers hacked one of the neighboring Wi-Fi-enabled devices by exploiting what in early 2022 was a zero-day vulnerability in the Microsoft Windows Print Spooler. Credit: Volexity The 2022 hack demonstrates how a single faulty assumption can undo an otherwise effective defense. For whatever reasonlikely an assumption that 2FA on the Wi-Fi network was unnecessary because attacks required close proximitythe target deployed 2FA on the Internet-connecting web services platform (Adair isnt saying what type) but not on the Wi-Fi network. That one oversight ultimately torpedoed a robust security practice.Advanced persistent threat groups like GruesomeLarcha part of the much larger GRU APT with names including Fancy Bear, APT28, Forrest Blizzard, and Sofacyexcel in finding and exploiting these sorts of oversights.Volexitys post describing the 2022 attack provides plenty of technical details about the compromise on the many links in this sophisticated daisy chain attack flow. Theres also useful advice for protecting networks against these sorts of compromises.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 39 Comments Staff Picksffuzzyfuzzyfungus I don't think we're cool enough to be worth the trouble; but there's another incentive to swap out MSCHAPv2 and get certs in place....With the more banal reason being that MS is not getting any less shy about Credential Guard moving toward breaking PEAP-MSCHAPv2. November 23, 2024 at 2:36 am