At a glance.
- APT28 uses novel technique to breach organizations via nearby WiFi networks.
- US senators request audit of TSA's facial recognition technology.
- Supply chain software company sustains ransomware attack.
APT28 uses novel technique to breach organizations via nearby WiFi networks.
Volexity has published a report on a novel attack vector used by the Russian threat actor GruesomeLarch (commonly known as "APT28" or "Fancy Bear") to breach enterprise Wi-Fi networks. The threat actor first compromised vulnerable organizations in close proximity to the targeted entity until they found a system that had both wired and wireless network connections. They would then use this system's Wi-Fi adapter to connect to the SSID of the targeted organization's Wi-Fi and authenticate to it, granting them access to the target's network.
The researchers note, "Volexity believes this represents a new class of attack that has not previously been described, in which a threat actor compromises one organization and performs credential-stuffing attacks in order to compromise other organizations in close physical proximity via their Wi-Fi networks. To reiterate, the compromise of these credentials alone did not yield access to the customer’s environment, as all Internet-facing resources required use of multi-factor authentication (MFA). However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect."
Volexity adds, "The Nearest Neighbor Attack effectively amounts to a close access operation, but the risk of being physically identified or detained has been removed. This attack has all the benefits of being in close physical proximity to the target, while allowing the operator to be thousands of miles away."
Volexity says the threat actor used this technique to steal information on Ukrainian matters just before Russia's invasion of Ukraine in February 2022.
US senators request audit of TSA's facial recognition technology.
A bipartisan group of US senators last week sent a letter to the Department of Homeland Security's inspector general requesting an audit of the Transportation Security Administration's (TSA's) use of facial recognition technology, the Record reports. The letter stated, "This technology will soon be in use at hundreds of major and mid-size airports without an independent evaluation of the technology’s precision or an audit of whether there are sufficient safeguards in place to protect passenger privacy. TSA has not provided Congress with evidence that facial recognition technology is necessary to catch fraudulent documents, decrease wait times at security checkpoints, or stop terrorists from boarding airplanes." The senators added that "this program could become one of the largest federal surveillance databases overnight without authorization from Congress."
The letter asks DHS Inspector General Joseph Cuffari "to thoroughly evaluate TSA's facial recognition program and report your findings to Congress before it becomes the default form of passenger verification at security checkpoints."
Supply chain software company sustains ransomware attack.
US-based supply chain management software company Blue Yonder sustained a ransomware attack last week, disrupting its services to several grocery store chains in the US and UK, CNN reports. CNN says Morrisons and Sainsbury in the UK have both confirmed outages related to the incident.
Blue Yonder stated, "On November 21, 2024, Blue Yonder experienced disruptions to its managed services hosted environment, which was determined to be the result of a ransomware incident. Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process. We have implemented several defensive and forensic protocols. With respect to the Blue Yonder Azure public cloud environment, we are actively monitoring and currently do not see any suspicious activity. The experts along with the Blue Yonder team are working on multiple recovery strategies and the investigation is ongoing. At this point in time, we do not have a timeline for restoration."