Cyberattack by GruesomeLarch Targets Organizations Linked to Ukraine
/ 4 min read
Quick take - In February 2022, cybersecurity firm Volexity discovered a sophisticated cyberattack by the Russian APT group GruesomeLarch, which exploited nearby Wi-Fi networks to gain covert access to organizations involved in Ukrainian projects, highlighting the need for enhanced security measures, particularly for Wi-Fi networks.
Fast Facts
- In February 2022, Volexity uncovered a cyberattack by the Russian APT group GruesomeLarch, targeting organizations linked to Ukrainian projects ahead of the invasion.
- The attack, known as a “Nearest Neighbor Attack,” exploited nearby Wi-Fi networks to gain covert access to Organization A, which had inadequate security measures on its Enterprise Wi-Fi.
- GruesomeLarch utilized living-off-the-land techniques, including password-spray and credential-stuffing attacks, and exploited a zero-day privilege escalation vulnerability to enhance access.
- The investigation revealed the attacker operated from an external location, using a custom PowerShell script and accessing Organization B’s VPN, which lacked multi-factor authentication.
- Volexity recommended enhanced security measures for Wi-Fi networks, including monitoring for unusual activity and developing custom detection rules to prevent future incidents.
Cyberattack by GruesomeLarch Uncovered
In early February 2022, cybersecurity firm Volexity uncovered a sophisticated cyberattack orchestrated by the Russian advanced persistent threat (APT) group known as GruesomeLarch. This attack, identified as a “Nearest Neighbor Attack,” involved the exploitation of nearby Wi-Fi networks with the aim of gaining covert access to targeted organizations, specifically those related to Ukrainian projects and individuals. This discovery came ahead of the Russian invasion of Ukraine.
Investigation Details
The investigation was triggered on February 4, 2022, when Volexity received an alert from a custom detection signature at a client site, referred to as Organization A. It was discovered that GruesomeLarch had compromised a server within Organization A’s network. The attackers utilized living-off-the-land techniques that leveraged existing credentials and systems. A critical aspect of the attack involved exploiting a zero-day privilege escalation vulnerability, which enhanced the attacker’s access.
GruesomeLarch executed password-spray and credential-stuffing attacks against Organization A’s public-facing services, aimed at obtaining valid credentials. Although multi-factor authentication (MFA) was in place for these public services, it was absent on the organization’s Enterprise Wi-Fi network, allowing the attacker to infiltrate Organization A’s network. The attacker first compromised nearby organizations that had both wired and wireless connections, employing a dual-homed system to connect to Organization A’s Enterprise Wi-Fi after gaining access to a nearby organization, specifically Organization B, located just across the street.
Challenges and Findings
Throughout the investigation, Volexity encountered various challenges, including the shutdown of compromised systems during data gathering and the attacker’s use of anti-forensics methods to erase traces of their activities. Despite these challenges, Volexity identified the attacker’s authenticated domain user and MAC address through access to the wireless controller. The attacker utilized multiple accounts, some of which were updated and locked out during their operations, and was operating from an external location. A custom PowerShell script facilitated their connection to Organization A’s network, and they accessed Organization B’s VPN, which lacked MFA protection, connecting to its Wi-Fi from another nearby organization, referred to as Organization C.
After the initial detection, Volexity collaborated with Organization B to further investigate the attack. Their findings prompted recommendations for Organization A to enhance its security posture, including implementing additional security measures for Wi-Fi networks. Volexity highlighted the importance of securing Wi-Fi networks to mitigate risks associated with less secure systems, especially in light of the Nearest Neighbor Attack’s implications.
Recommendations and Conclusion
Following remediation efforts, the attacker attempted to regain access to Organization A’s network through its Guest Wi-Fi. The Guest Wi-Fi network, though believed to be isolated, contained a system accessible from both the Wi-Fi and corporate networks. The attacker exploited this using port-forwarding techniques to pivot back into the corporate network.
Volexity’s detailed investigation underscores the evolving tactics of cyber adversaries and emphasizes the necessity for organizations to bolster their security measures, particularly concerning Wi-Fi networks. Their final recommendations included monitoring for unusual utility usage, developing custom detection rules, and improving access requirements for wireless networks to prevent similar incidents in the future.
Original Source: Read the Full Article Here
