Russian state-sponsored hacking group APT28 (Fancy Bear/Forest Blizzard/Sofacy) has employed a novel "nearest neighbor attack" to breach enterprise WiFi networks from thousands of miles away. The attack, first detected on February 4, 2022, targeted a U.S. company in Washington, D.C., involved in Ukraine-related projects. Cybersecurity firm Volexity identified the intrusion, highlighting APT28’s innovative approach to bypass multi-factor authentication (MFA).
APT28 initiated the attack by breaching a nearby organization’s WiFi network, exploiting dual-home devices such as laptops or routers with both wired and wireless connections. These devices allowed the hackers to connect to the target’s WiFi network. By daisy-chaining access to multiple organizations, the hackers were able to connect to the victim's wireless network and move laterally across the system.
The hackers were able to bypass multi-factor authentication on the company’s WiFi network, despite being physically located thousands of miles away. Once within range, they compromised access to three wireless access points near the target’s conference room windows and used remote desktop protocol (RDP) from an unprivileged user to roam across the network.
The attackers dumped Windows registry hives (SAM, Security, and System) using a script called servtask.bat, compressing them into a ZIP file for exfiltration. This process allowed APT28 to gather sensitive data without causing significant disruptions to the target network. The focus of the attack was on individuals and projects related to Ukraine, in line with Russia’s geopolitical interests.
Volexity's investigation revealed that APT28 was particularly interested in data from individuals with expertise in Ukraine-related projects. This highlights the targeted nature of the attack, aimed at collecting intelligence from a specific field of work.
The attack underscores the need for robust WiFi security and network segmentation. APT28’s ability to exploit physical proximity and dual-home devices highlights the growing sophistication of cyberattacks. Organizations should consider the following measures:
APT28’s "nearest neighbor attack" serves as a reminder of the advanced techniques used by state-sponsored hackers. Vigilance, along with layered cybersecurity defenses, is crucial in defending against such sophisticated attacks.
In this blog post, we’ll delve into the details of CVE-2024-21412, its impact, and the tactics employed by threat actors to bypass SmartScreen.
CVE-2024-21412 is a security flaw that affects Microsoft SmartScreen, a component integrated into various Microsoft products, including Windows Defender and Microsoft Edge. SmartScreen analyzes URLs and files to determine their safety and warns users if they attempt to access potentially harmful content. However, this vulnerability allows attackers to evade SmartScreen’s protective measures.
The primary vector for exploiting CVE-2024-21412 is through internet shortcuts (URL files). These files contain references to websites and are commonly used for creating desktop shortcuts or bookmarks. By crafting a malicious URL file, threat actors can trick SmartScreen into allowing access to dangerous sites or downloads.
The Water Hydra advanced persistent threat (APT) group is at the forefront of exploiting this vulnerability. Their sophisticated techniques involve creating specially crafted URL files that appear harmless to SmartScreen. Once a victim clicks on the shortcut, the associated website delivers a payload—often the DarkMe remote access trojan (RAT).
Interestingly, CVE-2024-21412 emerged as a result of bypassing a previously patched SmartScreen vulnerability (CVE-2023-36025). This highlights the cat-and-mouse game between security researchers and threat actors. Even after a patch is released, attackers continue to explore new attack vectors, rendering the patch ineffective.
The Water Hydra group’s campaign exploiting CVE-2024-21412 has primarily targeted regions such as Spain, the United States, and Australia. Their choice of targets suggests a deliberate strategy to compromise high-value systems and organizations.
Ensure that your operating system and security software are up to date. Regularly check for patches and apply them promptly.
Be cautious when opening internet shortcuts (URL files). Verify the source and destination before clicking on any links.
Educate users about the risks associated with SmartScreen bypass vulnerabilities. Awareness is crucial in preventing successful attacks.