Okay, so we may need to adjust our threat models slightly?

briankrebs@infosec.exchange

Okay, so we may need to adjust our threat models slightly?

"The month-and-a-half long investigation revealed that GruesomeLarch was able to ultimately breach Organization A’s network by connecting to their enterprise Wi-Fi network. The threat actor accomplished this by daisy-chaining their approach to compromise multiple organizations in close proximity to their intended target, Organization A. This was done by a threat actor who was thousands of miles away and an ocean apart from the victim. Volexity is unaware of any terminology describing this style of attack and has dubbed it the Nearest Neighbor Attack."

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. The investigation began when an alert from a custom detection signature Volexity had deployed at a customer site (“Organization A”) indicated a threat actor had compromised a server on the customer’s network. While Volexity quickly investigated the threat activity, more questions were raised than answers due to a very motivated and skilled advanced persistent threat (APT) actor, who was using a novel attack vector Volexity had not previously encountered.

Volexity (www.volexity.com)

noplasticshower@infosec.exchange

@briankrebs nice

adamshostack@infosec.exchange

@briankrebs I mean, "our wifi was hacked" goes back to other umm, Target attacks?

thegibson@hackers.town

@briankrebs It is interesting, and makes some sense on a technical level.

Digging into tooling.

thegibson@hackers.town

@briankrebs So the thing here is that while it is certainly possible, there are a lot of dependencies to pull this off.

1. a device that can dual home in the island network you are hopping from.

2. a Wifi network that is broadcasting at a power level higher than it should.

3. Stolen Credentials

All that said, it is an interesting example of a "determined attacker" scenario, and is definitely the first time I can remember hearing of this technique.

Wild stuff reigns supreme when the attacker is NOT going after low hanging fruit, and has a target they are determined to reach.

rgegriff@hackers.town

@thegibson @briankrebs dark market wifi-attack drones-as-a-service

thegibson@hackers.town

@rgegriff @briankrebs

This is where my mind was going... pretty sure the pwnasus could be modified with a LTE adapter to do a similar thing, and eliminate the need to hop from the first network.

thegibson@hackers.town

@rgegriff @briankrebs

And now that we've spoken that into existence...

rgegriff@hackers.town

@thegibson @briankrebs

tw000@infosec.exchange

@TheGibson @rgegriff @briankrebs WiFi countermeasures now include drone-hunting birds?

rgegriff@hackers.town

@tw000 @thegibson @briankrebs I have always wanted to train falcons!

tw000@infosec.exchange

@rgegriff @TheGibson @briankrebs Yes! (in sickos voice)

thegibson@hackers.town

@tw000 @rgegriff @briankrebs

I mean I built the pwnasus... I don't see this as a complex modification to something that is a flying Wi-Fi deauther.

just adding a control plane, and a little bit of OS config.

a mobile C2 basically.

tw000@infosec.exchange

@TheGibson @rgegriff @briankrebs Keeping the drone stable and in range and undetected is where my mind starts to go.

tasket@infosec.exchange

@briankrebs Now do bluetooth. There are many devices that have both wifi and bluetooth, and the latter's security is pretty bad.

rgegriff@hackers.town

@tw000 @thegibson @briankrebs drones are pretty good at holding position; and wifi is pretty good at not being attenuated by atmosphere; so you could probably get decent range even at a pretty high angle relative to the target building.

That said; save some battery and park it on the roof.

Ohh! Or drop a throwie!

rgegriff@hackers.town

@tw000 @thegibson @briankrebs OHH OHH! A throwie that had an esp32 and some LoRa hardware would be a pretty scary mix of small, inexpensive bordering on disposable, long lasting relative to battery capacity, and controllable from across town

tw000@infosec.exchange

@rgegriff @TheGibson @briankrebs Great, now I won't be able to see shoes on power lines without thinking about what device is hidden in them.

rgegriff@hackers.town

@tw000 @thegibson @briankrebs back of the envelope; without the battery, a little gizmo like this could fit pretty comfortably in a gang box behind a light switch.

You've heard of evil maid; now hold on to your butts for evil electrician and evil drywall guy attacks.

A whole class of evil tradesfolk with opportunities to install all sorts of cool gizmos in your mansion, office, or newly under-regulated datacenter-powering nuclear facilities

thegibson@hackers.town

@rgegriff @tw000 @briankrebs

Slap a solar cell in the ankle opening and a timer between the battery and the stack...

Could run forever.