Russian Spies Jumped From One Network To Another Via Wi-Fi (wired.com) 18
"Steven Adair, of cybersecurity firm Veloxity, revealed at the Cyberwarcon security conference how Russian hackers were able to daisy-chain as many as three separate Wi-Fi networks in their efforts to attack victims," writes Longtime Slashdot reader smooth wombat. Wired reports: Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. "I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?" he says. "We came up dry."
Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.
Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.
Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.
Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.
Good news everyone (Score:2)
Re: Good news everyone (Score:1)
Fascinating (Score:2)
That's clever, tricky, and innovative.
Security and broadcast radio don't go together. (Score:5, Insightful)
Convenience will keep that avenue of attack open.
Re: (Score:2)
Re: Security and broadcast radio don't go together (Score:1)
Re: (Score:3)
Those motherboards generally come with antenna ports because you don't want the antenna itself on, or right next to, the motherboard. Even if the BIOS/UEFI for some reason doesn't have a way to turn off the Wi-Fi chip, you can put a terminating cap on the antenna port so that anything coming out of it just gets displayed as heat from a resistor. If this is a Windows box in an enterprise, domain policies can disable Wi-Fi.
There are lots of ways to mitigate security risks from onboard Wi-Fi.
Re: Security and broadcast radio don't go together (Score:2)
What I saw when I went looking was mostly M.2 WiFi slots, my motherboard has one. It leaves me the option to choose one or none, I went with the latter and use my AP to bridge.
Re: (Score:2)
Not nearly as cool. (Score:2)
I remember the ad-hoc sound-card networking some hacker pulled off for low bandwidth communication.
Re: (Score:2)
DNC hack of 2016 (Score:2, Informative)
The so-called DNC hack was an inside job. Going on the file date-and-time stamps, they were copied locally.
DNC interim chair Donna Brazile: “There’s one person who stands to benefit from these criminal acts, and that’s Donald Trump”
Re: (Score:2)
Brazile is an evil lying cheater. She gave Hillary debate questions ahead of time.
Bernie Sanders was the biggest beneficiary of the DNC Leaks.
DNC was broke and the Clinton Foundation gave them a bailout in exchange for rigging the primary against Bernie.
The leaks proved that.
He still simpped out and endorsed her.
Re: DNC hack of 2016 (Score:2)
He still would rather act strategically than let emotions rule him.
Vault 7? (Score:2)
Was it Vault 7 where spooks were caught quartering their soldier code in the peoples' home linksys routers for proxy attacks?
Somebody correct me if that was a different leak.