Infosec in brief Not to make you paranoid, but that business across the street could, under certain conditions, serve as a launching point for Russian cyber spies to compromise your network.
Using what it described as “a novel attack vector … not previously encountered,” threat intel and memory forensics firm Volexity reported it’s spotted what it believes to be the APT28 Kremlin-backed threat actor targeting one of its clients by first compromising multiple organizations whose offices are in close physical proximity to the target.
Dubbed the “nearest neighbor attack” for lack of “any terminology describing this style of attack,” Volexity explained the multi-step attack began with password-spraying the victim’s web portals to get valid credentials.
Those credentials were unusable on the org’s services because it had implemented multifactor authentication – except on its Wi-Fi network.
To get around the fact it was targeting a Wi-Fi network thousands of miles away, APT28 breached the target’s neighboring organizations, identified devices with both wired and wireless network adapters, and used them to connect to the target’s Wi-Fi network with the stolen credentials. Once connected, the attackers moved laterally within the network and routed exfiltrated data through compromised machines on neighboring networks.
“Volexity’s investigation reveals the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber espionage objectives,” the security shop observed. “To reiterate, the compromise of these credentials alone did not yield access to the customer’s environment. However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect.”
In other words, now you have yet another system to secure with some form of multifactor authentication. Volexity noted that the guest Wi-Fi network was also compromised, and a single system able to access both networks was identified to move into the more sensitive network – so be sure you isolate everything, too.
Critical vulnerabilities of the week: Cisco cert lapse warning
Cisco reported a critical issue in its Firepower Management Center software this week, affecting versions 6 and 7, that can lead to a loss of management capabilities.
According to the report, an internal self-signed root certificate authority valid for ten years might be expiring soon, leaving administrators without the ability to manage connected devices. If it does lapse “a more complex renewal process” will be necessary – so inspect yours and install necessary hotfixes ASAP.
Just one active, critical exploit to mention this week that we haven’t already covered:
- CVSS 10.0 – CVE-2024-1212: Progress Software’s LoadMaster load balancing software allows unauthenticated users to access it through the management interface, allowing for arbitrary system command execution.
There’s one less phisher in the sea
Microsoft last week reported that it seized 240 fraudulent websites linked to a Phishing-as-a-Service operation based in Egypt that used the Linux Foundation’s Open Neural Network Exchange (ONNX) to brand its malware.
“Abanoub Nady (known online as ‘MRxC0DER’) developed and sold ‘do it yourself’ phish kits and fraudulently used the brand name ‘ONNX,'” Microsoft claimed. Along with the ONNX brand, Nady allegedly marketed his phishing kits under the names Caffeine and FUHRER, Microsoft’s Digital Crimes Unit added.
Microsoft wrote that Nady’s outfit operated since 2017 and offered ready-to-phish software with multiple subscription tiers – including an “Enterprise” edition that cost $550 for six months of “unlimited VIP support.”
Microsoft and the Linux Foundation Projects have sued Nady, and a court document [PDF] unsealed last week indicates all the seized domains are now under Microsoft’s control.
“We are taking affirmative action to protect online users globally rather than standing idly by while malicious actors illegally use our names and logos to enhance the perceived legitimacy of their attacks,” Microsoft said.
DoD says its handling of controlled cryptographic devices is ▇▇▇▇
The US Department of Defense’s inspector general last week released a report on the military’s handling of controlled cryptographic items (CCI) used for secure communications – but you’ll have to take the IG’s word that everything is in good order, because it’s not releasing any details.
In a barebones summary [PDF] of the audit, the IG said