[HN Gopher] The Nearest Neighbor Attack
___________________________________________________________________
The Nearest Neighbor Attack
Author : throwaway99210
Score : 159 points
Date : 2024-11-22 17:34 UTC (3 days ago)
(HTM) web link (www.volexity.com)
(TXT) w3m dump (www.volexity.com)
| kmeisthax wrote:
| So, as I understand it, you 0wn a machine in one organization,
| then use it to tunnel over to Wi-Fi in the building next door,
| 0wn another machine there, rinse and repeat until you've created
| the world's least consensual mesh network?
| mandevil wrote:
| From thousands of kilometers away, to make attribution/legal
| issues even more complex.
| _nalply wrote:
| They are exploiting that Wifi didn't have 2fa, because they
| couldn't overcome 2fa. A company accross the street had a
| machine that both was accessible by ethernet and wifi and they
| used that as a bridge.
|
| Conclusions:
|
| 1. Anything that doesn't have 2fa is leaking like a sieve.
|
| 2. The targeted company needs to implement 2fa for their Wifi
| as well.
|
| Not mentioned, but I assume that their 2fa is using specialised
| hardware gadgets like Yubikey and not texts or totp, because
| else they could target the cell phones, and like everything
| else they are leaking, or they are attacking the cell phone
| base stations.
|
| Final conclusion:
|
| A network is as strong as the weakest link. In that case Wifi
| was not protected by strong 2fa and could be used to breach.
| eru wrote:
| > A network is as strong as the weakest link.
|
| Depends on how you look at it. We have end-to-end security
| with things like https, so we don't need to worry about the
| links in the middle.
| Spivak wrote:
| The BeyondCorp strategy. It also means that network and
| endpoints can be off the shelf. Big fan of this strategy.
| Sesse__ wrote:
| > Final conclusion: A network is as strong as the weakest
| link.
|
| Final conclusion: Do not trust a device just because it
| happens to be on your local network.
| coldpie wrote:
| Final, final conclusion: if a computer is networked,
| consider it and the data on it to be semi-public. Make
| decisions about what to do and store on that computer with
| that assumption in mind.
| EvanAnderson wrote:
| Final, final, final conclusion: Interacting with a
| computer makes it networked even if you're not
| intentionally using traditional networking technologies
| (TEMPEST attacks, arbitrary code execution through direct
| user input, etc).
| coldpie wrote:
| Physical access has always been game over. Having a
| networked computer means your threat model is literally
| everyone on the planet, which is a much bigger problem
| than keeping people from physically getting access.
| akaiser wrote:
| Eludes me why they didn't have device-certificate-based auth
| for their Enterprise WiFi in addition to the
| username+password. Basically comes for free with AD and NPS.
| cortesoft wrote:
| My conclusion is that being on the corporate Wi-Fi should not
| give you access to anything. There should not have been any
| advantage to getting on the Wi-Fi, it should be treated like
| the public internet.
|
| A separate VPN, with MFA, should be required to access
| anything.
| sleepybrett wrote:
| it should be a factor (defense in depth) but not the ONLY
| factor.
| alsetmusic wrote:
| My current org restricts wifi by user and by device in
| Active Directory. Thus you need to be whitelisted twice to
| get access.
|
| We use 2fa pretty much everywhere, but I don't think we use
| it there. But it certainly wouldn't hurt as yet another
| layer.
|
| Wifi adapters should be disabled via Group Policy for wired
| devices anyway.
| thrdbndndn wrote:
| why do you type 0wn (zero) instead of own?
| 0xEF wrote:
| Putting the "hacker" back in Hacker News, I guess
| dijksterhuis wrote:
| i believe it's pronounced H4x0r
| moffkalast wrote:
| Excuse me I thought this was business news? I want my zero
| money back.
| danielheath wrote:
| m0ney?
| RGamma wrote:
| Cuz it's k00l
| TacticalCoder wrote:
| The best is to never get pwned.
| duxup wrote:
| I think it nicely demonstrates the difference between "own"
| (legally and appropriately) and "0wn" taking control by
| hacking but exerting as much control as "own".
| EvanAnderson wrote:
| They were reaching for the "p" key and hit "0" by mistake.
| zelon88 wrote:
| The goal here was to circumvent 2FA on devices located inside
| the Org A office.
|
| On-prem systems prompt for 2FA. So the attacker knew a
| user/password combo, but couldn't leverage it directly because
| they would have triggered 2FA.
|
| But the 802.1x didn't have 2FA enabled. So using the
| user/password combo they already had, they just needed to
| approach the target network over WiFi in order to bypass the
| 2FA requirement.
| _hl_ wrote:
| What's wrong with the tried-and-tested technique of flying a guy
| or girl over there to drop a small gadget in WiFi proximity?
| voidUpdate wrote:
| Russia is quite far away to send a plane small enough to fly
| low over the building and drop a device onto the roof, and I
| don't think you're allowed to throw things out of an airliner
| window anyway
| _hl_ wrote:
| I mean a normal passenger on a normal plane making a normal
| trip to an office building and finding a hidden location
| where to tape a small box with an arduino in it. Maybe even
| on the outside so you can use solar power? Though it only
| needs to last long enough to compromise a machine inside the
| network.
|
| This would be nothing new, I remember ages ago in the days of
| WEP that you could buy a small box that would collect enough
| handshakes to let you crack the WEP password.
| voidUpdate wrote:
| or just do some fun hacking that doesn't have you at the
| location of the hack
| m3rc wrote:
| For the length of time this article covered you would need
| a power source and to not have your box discovered for
| months. Probably something out on the street isn't going to
| fulfill both of those requirements so you'd be trying to
| enter "Enterprise A" which is unlikely given the presumed
| elevated security profile this article implies (any guesses
| who?). With what they pulled off the "box" that ended up
| being used was something already plugged in next door and
| very much supposed to be there. Seems easier than any
| physical attack would have been.
| Eridrus wrote:
| Reusing existing digital compromise toolkits on a
| presumably far less hardened targets across the street is
| far easier than trying to deploy hardware thousands of
| miles away.
|
| The timeline here for the entire sequence of events is 1-2
| weeks.
| Rygian wrote:
| > Volexity now determined the attacker was connecting to the
| network via wireless credentials they had brute-forced from an
| Internet-facing service. However, it was not clear where the
| attacker was physically that allowed them to connect to the
| Enterprise Wi-Fi to begin with. Further analysis of data
| available from Organization A's wireless controller showed which
| specific wireless access points the attacker was connecting to
| and overlayed them on a map that had a layout of the building and
| specific floors.
|
| This is the kind of hackery I'd enjoy seeing in a blockbuster
| movie.
| 0_____0 wrote:
| I think Ubiquiti have that built into their AP/network
| management software. You can define a floorplan and drop your
| APs into it to understand dead zones etc, and you have granular
| data on which clients are connected to which APs
| meandmycode wrote:
| Anybody else get a feeling it was Volexity that did all this
| research? Interesting story none the less
| mfro wrote:
| 77 instances of 'Volexity' on that page. LOL
| leoqa wrote:
| Kind of wild they didn't rotate all the creds after the first,
| second hacks.
| duxup wrote:
| I suspect every organization is as secure as its least
| secure/capable decision maker.
|
| It's a scary thing as all you have to do is add one decision,
| one ignorant person and it's bad news.
|
| I've worked in orgs where we made big leaps in security, very
| proud of our work. Then one ignorant person who had the
| authority made a decision with no valid benefit to anyone,
| completely compromised everything.
|
| Seen it time and again.
|
| Not sure if that was the case as far as the credentials went in
| this situation, but it always seems to be the human element as
| far as curious choices goes.
| skulk wrote:
| Darknet Diaries #151 has an Australian dude explaining a form of
| this type of attack and how he stole money out of a middle
| eastern bank for a wealthy client. Maybe it's not exactly the
| same but it struck me as similar because he uses weak WiFi
| security as part of the exploit chain as well as hopping between
| compromised residential networks to obfuscate the origin.
| sleepybrett wrote:
| This is a little different. What he was doing is essentially
| setting up proxies all over the world.
|
| These guys hacked into a machine connected by ethernet with an
| idle wifi adapter, then used that idle wifi adapter to connect
| to the wifi of a company nearby.
| cesarb wrote:
| > These guys hacked into a machine connected by ethernet with
| an idle wifi adapter
|
| And having an idle wifi adapter like that is common nowadays.
| For some reason, many desktop PCs intended to stay in a
| single fixed place come from factory with a built-in wifi
| card and built-in antennas. You'd think that would make these
| PCs more expensive, but apparently wifi cards are cheap
| nowadays?
| alsetmusic wrote:
| I worked for an MSP (Managed Service Provider) when the pan
| hit. A bunch of our clients took their workstations home
| (CAD designers) and couldn't get online because they had no
| wifi.
|
| I understand wanting to save a few bucks times dozens of
| employees, but I always thought my company was fucking
| stupid for letting them purchase those machines with no
| backup for if their network card failed. Turned out this
| was a much worse situation.
|
| All that said, if you aren't using wifi to connect to the
| network, turn the damn thing off.
| fsflover wrote:
| Related discussion: https://news.ycombinator.com/item?id=42213178
| alasdair_ wrote:
| It seems it would be far easier to just mail the company a
| raspberry pi, a battery and a GSM module. Address it to someone
| nonexistant so it doesn't get opened for a few days.
|
| The real news is that the wifi didn't use 2FA like the rest of
| the system.
| CGamesPlay wrote:
| This wouldn't make it through building security. My last large
| corp x-rayed all packages and would notice a nonexistent
| recipient immediately.
___________________________________________________________________
(page generated 2024-11-25 23:00 UTC)