A new, sophisticated attack technique called the “Nearest Neighbor Attack” has emerged, demonstrating the growing capabilities of cybercriminals. Discovered by cybersecurity firm Volexity in February 2022, the attack was traced back to Russian state-sponsored hacking group GruesomeLarch (also known as APT28 or Fancy Bear). This technique enables attackers to breach a target’s network from thousands of miles away by exploiting Wi-Fi networks of nearby businesses. The attack, which took place just before the Russian invasion of Ukraine, highlights the evolving nature of cyber threats.
The Nearest Neighbor Attack targets organizations by first compromising user credentials through password spraying attacks. When multi-factor authentication (MFA) prevented access to the primary services, the attackers shifted focus to the organization’s Enterprise Wi-Fi network, which only required a username and password for access. Unable to directly exploit this network, the attackers compromised systems in neighboring buildings, looking for machines with both wired and wireless connections. By leveraging these compromised systems, the attackers were able to connect to the Wi-Fi network remotely.
Once inside the target organization’s network, the attackers employed living-off-the-land techniques to avoid detection. They used native Windows tools, such as Cipher.exe, to cover their tracks and hinder secure file recovery. The attackers moved laterally within the network, compromising additional organizations in proximity to the target. Eventually, they were able to exploit a vulnerability in the Guest Wi-Fi network of the primary target, which was improperly isolated from the corporate network, granting them access to sensitive data.
This attack underscores the need for organizations to reassess their Wi-Fi and network security strategies. Volexity recommends the implementation of multi-factor authentication for Wi-Fi access, ensuring proper segregation between Wi-Fi and Ethernet networks, and vigilant monitoring for suspicious use of native Windows tools. The Nearest Neighbor Attack represents a new class of cyber threats that exploit physical proximity in creative ways, urging organizations to adopt stronger security measures to mitigate such risks.
