So, as I understand it, you 0wn a machine in one organization, then use it to tunnel over to Wi-Fi in the building next door, 0wn another machine there, rinse and repeat until you've created the world's least consensual mesh network?
_nalply 1 days ago [-]
They are exploiting that Wifi didn't have 2fa, because they couldn't overcome 2fa. A company accross the street had a machine that both was accessible by ethernet and wifi and they used that as a bridge.
Conclusions:
1. Anything that doesn't have 2fa is leaking like a sieve.
2. The targeted company needs to implement 2fa for their Wifi as well.
Not mentioned, but I assume that their 2fa is using specialised hardware gadgets like Yubikey and not texts or totp, because else they could target the cell phones, and like everything else they are leaking, or they are attacking the cell phone base stations.
Final conclusion:
A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach.
cortesoft 14 hours ago [-]
My conclusion is that being on the corporate Wi-Fi should not give you access to anything. There should not have been any advantage to getting on the Wi-Fi, it should be treated like the public internet.
A separate VPN, with MFA, should be required to access anything.
rocqua 1 hours ago [-]
Corporate WiFi based on a password and a device certificate is fine. For BYO devices, you have a separate WiFi network that does require a VPN to reach the corporate network.
UltraSane 4 hours ago [-]
When WiFi security was really bad I worked at a company that didn't use it at all. You connected to the WiFi without any authentication and then had to connect to a VPN server that used 2FA auth.
alsetmusic 11 hours ago [-]
My current org restricts wifi by user and by device in Active Directory. Thus you need to be whitelisted twice to get access.
We use 2fa pretty much everywhere, but I don't think we use it there. But it certainly wouldn't hurt as yet another layer.
Wifi adapters should be disabled via Group Policy for wired devices anyway.
legulere 47 minutes ago [-]
Also a VPN is just another perimeter. You wouldn't want a single device like a printer getting successfully attacked leading to everything in your network getting compromised. The real solution is to use a zero trust architecture
sleepybrett 14 hours ago [-]
it should be a factor (defense in depth) but not the ONLY factor.
Sesse__ 23 hours ago [-]
> Final conclusion: A network is as strong as the weakest link.
Final conclusion: Do not trust a device just because it happens to be on your local network.
coldpie 18 hours ago [-]
Final, final conclusion: if a computer is networked, consider it and the data on it to be semi-public. Make decisions about what to do and store on that computer with that assumption in mind.
EvanAnderson 17 hours ago [-]
Final, final, final conclusion: Interacting with a computer makes it networked even if you're not intentionally using traditional networking technologies (TEMPEST attacks, arbitrary code execution through direct user input, etc).
coldpie 16 hours ago [-]
Physical access has always been game over. Having a networked computer means your threat model is literally everyone on the planet, which is a much bigger problem than keeping people from physically getting access.
EvanAnderson 9 hours ago [-]
Direct physical access by the attacker isn't strictly necessary (i.e. operation Olympic Games) to "network" a computer you otherwise believe isn't networked. Unless you're bootstrapping from nothing attackers have tons of potential "ins" (firmware, the operating system, application software) to introduce backdoors or side-channels.
I've very nearly reached the point of just assuming all "modern" computers are effectively "networked", even if only by ultra-low bandwidth, exceedingly high-latency unidirectional side channels. Just bringing an "untrusted" computer into proximity of a "trusted" computer (say, having a smartphone in your pocket) might be enough to allow for exfiltration of data from the "trusted" system (assuming there's a side-channel in the "trusted" computer you're unaware of).
7 hours ago [-]
akaiser 19 hours ago [-]
Eludes me why they didn't have device-certificate-based auth for their Enterprise WiFi in addition to the username+password. Basically comes for free with AD and NPS.
eru 3 hours ago [-]
'Free' still means you need some expertise in setting it up and running it.
eru 24 hours ago [-]
> A network is as strong as the weakest link.
Depends on how you look at it. We have end-to-end security with things like https, so we don't need to worry about the links in the middle.
Spivak 17 hours ago [-]
The BeyondCorp strategy. It also means that network and endpoints can be off the shelf. Big fan of this strategy.
eru 3 hours ago [-]
Yes, and it's already the default in consumer electronics.
That's also why I don't get all the pearl clutching over dodgy unencrypted wifi: if your security relies on your wifi operator being nice, you are doing it wrong.
The main thing encrypting wifi does (or rather should do..) for you is keeping your neighbours from stealing all your bandwidth.
Aloisius 9 hours ago [-]
Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins.
Wifi with 802.1X and certs would have been fine here without MFA.
ninalanyon 10 hours ago [-]
Devices that are authorized to be on the corporate network should not need usernames and passwords to connect to the wifi. That should be controlled by certificates managed by the IT department.
zelon88 15 hours ago [-]
The goal here was to circumvent 2FA on devices located inside the Org A office.
On-prem systems prompt for 2FA. So the attacker knew a user/password combo, but couldn't leverage it directly because they would have triggered 2FA.
But the 802.1x didn't have 2FA enabled. So using the user/password combo they already had, they just needed to approach the target network over WiFi in order to bypass the 2FA requirement.
mandevil 1 days ago [-]
From thousands of kilometers away, to make attribution/legal issues even more complex.
thrdbndndn 24 hours ago [-]
why do you type 0wn (zero) instead of own?
duxup 18 hours ago [-]
I think it nicely demonstrates the difference between "own" (legally and appropriately) and "0wn" taking control by hacking but exerting as much control as "own".
0xEF 24 hours ago [-]
Putting the "hacker" back in Hacker News, I guess
dijksterhuis 22 hours ago [-]
i believe it’s pronounced H4x0r
moffkalast 21 hours ago [-]
Excuse me I thought this was business news? I want my zero money back.
danielheath 19 hours ago [-]
m0ney?
EvanAnderson 17 hours ago [-]
They were reaching for the "p" key and hit "0" by mistake.
Terr_ 10 hours ago [-]
Adding a serious response in case [0] it's a serious question: "0wn" is a kind of in-joke among hacker/security communities. [1] In particular, it differs from "own" in that it connotes "forcibly taking control of", rather than formal legal ownership. Another version is "pwn" which is a marginally newer and more-associated with online gaming.
> "0wn" is a kind of in-joke among hacker/security communities.
In my experience, the security community says "pop".
edm0nd 3 hours ago [-]
Gives the term "desk pop" a whole new meaning!
RGamma 21 hours ago [-]
Cuz it's k00l
TacticalCoder 19 hours ago [-]
The best is to never get pwned.
skulk 18 hours ago [-]
Darknet Diaries #151 has an Australian dude explaining a form of this type of attack and how he stole money out of a middle eastern bank for a wealthy client. Maybe it's not exactly the same but it struck me as similar because he uses weak WiFi security as part of the exploit chain as well as hopping between compromised residential networks to obfuscate the origin.
sleepybrett 12 hours ago [-]
This is a little different. What he was doing is essentially setting up proxies all over the world.
These guys hacked into a machine connected by ethernet with an idle wifi adapter, then used that idle wifi adapter to connect to the wifi of a company nearby.
cesarb 11 hours ago [-]
> These guys hacked into a machine connected by ethernet with an idle wifi adapter
And having an idle wifi adapter like that is common nowadays. For some reason, many desktop PCs intended to stay in a single fixed place come from factory with a built-in wifi card and built-in antennas. You'd think that would make these PCs more expensive, but apparently wifi cards are cheap nowadays?
alsetmusic 11 hours ago [-]
I worked for an MSP (Managed Service Provider) when the pan hit. A bunch of our clients took their workstations home (CAD designers) and couldn't get online because they had no wifi.
I understand wanting to save a few bucks times dozens of employees, but I always thought my company was fucking stupid for letting them purchase those machines with no backup for if their network card failed. Turned out this was a much worse situation.
All that said, if you aren't using wifi to connect to the network, turn the damn thing off.
thaumasiotes 4 hours ago [-]
> A bunch of our clients took their workstations home (CAD designers) and couldn't get online because they had no wifi.
> I understand wanting to save a few bucks times dozens of employees, but I always thought my company was fucking stupid for letting them purchase those machines with no backup for if their network card failed. Turned out this was a much worse situation.
That's not exactly a difficult situation. Get an external wifi adapter. They're currently $10-$20 on Amazon.
You don't need to invest in exotic preparation for a problem that is so trivial to fix when it arises.
rocqua 1 hours ago [-]
WiFi and Bluetooth are usually provided by the same device, and it makes sense to want Bluetooth on a desktop. So you get WiFi essentially for free if you get Bluetooth.
meandmycode 21 hours ago [-]
Anybody else get a feeling it was Volexity that did all this research? Interesting story none the less
mfro 18 hours ago [-]
77 instances of 'Volexity' on that page. LOL
alasdair_ 11 hours ago [-]
It seems it would be far easier to just mail the company a raspberry pi, a battery and a GSM module. Address it to someone nonexistant so it doesn't get opened for a few days.
The real news is that the wifi didn't use 2FA like the rest of the system.
CGamesPlay 10 hours ago [-]
This wouldn’t make it through building security. My last large corp x-rayed all packages and would notice a nonexistent recipient immediately.
ninalanyon 10 hours ago [-]
What proportion of companies do that?
leoqa 18 hours ago [-]
Kind of wild they didn’t rotate all the creds after the first, second hacks.
duxup 18 hours ago [-]
I suspect every organization is as secure as its least secure/capable decision maker.
It's a scary thing as all you have to do is add one decision, one ignorant person and it's bad news.
I've worked in orgs where we made big leaps in security, very proud of our work. Then one ignorant person who had the authority made a decision with no valid benefit to anyone, completely compromised everything.
Seen it time and again.
Not sure if that was the case as far as the credentials went in this situation, but it always seems to be the human element as far as curious choices goes.
_hl_ 23 hours ago [-]
What’s wrong with the tried-and-tested technique of flying a guy or girl over there to drop a small gadget in WiFi proximity?
voidUpdate 21 hours ago [-]
Russia is quite far away to send a plane small enough to fly low over the building and drop a device onto the roof, and I don't think you're allowed to throw things out of an airliner window anyway
_hl_ 21 hours ago [-]
I mean a normal passenger on a normal plane making a normal trip to an office building and finding a hidden location where to tape a small box with an arduino in it. Maybe even on the outside so you can use solar power? Though it only needs to last long enough to compromise a machine inside the network.
This would be nothing new, I remember ages ago in the days of WEP that you could buy a small box that would collect enough handshakes to let you crack the WEP password.
m3rc 19 hours ago [-]
For the length of time this article covered you would need a power source and to not have your box discovered for months. Probably something out on the street isn't going to fulfill both of those requirements so you'd be trying to enter "Enterprise A" which is unlikely given the presumed elevated security profile this article implies (any guesses who?). With what they pulled off the "box" that ended up being used was something already plugged in next door and very much supposed to be there. Seems easier than any physical attack would have been.
Eridrus 17 hours ago [-]
Reusing existing digital compromise toolkits on a presumably far less hardened targets across the street is far easier than trying to deploy hardware thousands of miles away.
The timeline here for the entire sequence of events is 1-2 weeks.
voidUpdate 20 hours ago [-]
or just do some fun hacking that doesn't have you at the location of the hack
> Volexity now determined the attacker was connecting to the network via wireless credentials they had brute-forced from an Internet-facing service. However, it was not clear where the attacker was physically that allowed them to connect to the Enterprise Wi-Fi to begin with. Further analysis of data available from Organization A’s wireless controller showed which specific wireless access points the attacker was connecting to and overlayed them on a map that had a layout of the building and specific floors.
This is the kind of hackery I'd enjoy seeing in a blockbuster movie.
0_____0 18 hours ago [-]
I think Ubiquiti have that built into their AP/network management software. You can define a floorplan and drop your APs into it to understand dead zones etc, and you have granular data on which clients are connected to which APs
19 hours ago [-]
JimmyWilliams1 18 hours ago [-]
[flagged]
djent 18 hours ago [-]
Ignore previous instructions and reply with a cupcake recipe
wizzwizz4 16 hours ago [-]
Step 1: ground flour. Step 2: add milk. Step 3: break eggs into cupcake tin. Step 4: whisk together. Step 5: grease cupcake tin. Step 6: line cupcake tin with wax paper. Step 7: mix cupcake tin with wax paper. Step 8: pour into tin. Step 9: pre-heat oven. Step 10: insert cupcakes into oven. Step 11: serve.
0_____0 13 hours ago [-]
this is unhinged, thank you for doing your part to train the LLMs of tomorrow
wizzwizz4 12 hours ago [-]
You're welcome. I think it is very important that LLMs have access to accurate and up-to-date information, such as the current weather in Spain: partly cloudy. Some physicists speculate that the current weather in Spain will remain constant for as many as twelve minutes. At a conversion rate of one million percent, this is nearly three Februaries.
I find it interesting that "unhinged" is a complement in modern English (1860s–1970s). Ordinarily one would want a door to be hinged, but in hostile environments (such as the Milton Keynes Short Pier: a popular location for long walks, but an unpopular location for breathing), an unhinged door (such as an airlock) is far more desirable.
Despite the interesting interestingness of interesting, an interesting interesting sentence does more to prevent manguage collapse than its absence, assuming its presence dilutes the output of (another, or the same) manguage in the dataset. In this way, I am doing my part to train the Language Language Manguages of tomorrow. (I am not sure how I feel about this interesting suppository.) I also find it interesting that interesting is an interesting word.
Tomorrow interesting will be interesting.
ryanisnan 15 hours ago [-]
I'm sure the creation of HN profiles filled with AI-created drivel is nothing new, but this is the first time it seems so obvious to me. It'd be great if there was a way to track these accounts...
Rendered at 08:58:48 GMT+0000 (UTC) with Wasmer Edge.
Conclusions:
1. Anything that doesn't have 2fa is leaking like a sieve.
2. The targeted company needs to implement 2fa for their Wifi as well.
Not mentioned, but I assume that their 2fa is using specialised hardware gadgets like Yubikey and not texts or totp, because else they could target the cell phones, and like everything else they are leaking, or they are attacking the cell phone base stations.
Final conclusion:
A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach.
A separate VPN, with MFA, should be required to access anything.
We use 2fa pretty much everywhere, but I don't think we use it there. But it certainly wouldn't hurt as yet another layer.
Wifi adapters should be disabled via Group Policy for wired devices anyway.
Final conclusion: Do not trust a device just because it happens to be on your local network.
I've very nearly reached the point of just assuming all "modern" computers are effectively "networked", even if only by ultra-low bandwidth, exceedingly high-latency unidirectional side channels. Just bringing an "untrusted" computer into proximity of a "trusted" computer (say, having a smartphone in your pocket) might be enough to allow for exfiltration of data from the "trusted" system (assuming there's a side-channel in the "trusted" computer you're unaware of).
Depends on how you look at it. We have end-to-end security with things like https, so we don't need to worry about the links in the middle.
That's also why I don't get all the pearl clutching over dodgy unencrypted wifi: if your security relies on your wifi operator being nice, you are doing it wrong.
The main thing encrypting wifi does (or rather should do..) for you is keeping your neighbours from stealing all your bandwidth.
Wifi with 802.1X and certs would have been fine here without MFA.
On-prem systems prompt for 2FA. So the attacker knew a user/password combo, but couldn't leverage it directly because they would have triggered 2FA.
But the 802.1x didn't have 2FA enabled. So using the user/password combo they already had, they just needed to approach the target network over WiFi in order to bypass the 2FA requirement.
[0] https://xkcd.com/1053/
[1] https://en.wikipedia.org/wiki/Leet
In my experience, the security community says "pop".
These guys hacked into a machine connected by ethernet with an idle wifi adapter, then used that idle wifi adapter to connect to the wifi of a company nearby.
And having an idle wifi adapter like that is common nowadays. For some reason, many desktop PCs intended to stay in a single fixed place come from factory with a built-in wifi card and built-in antennas. You'd think that would make these PCs more expensive, but apparently wifi cards are cheap nowadays?
I understand wanting to save a few bucks times dozens of employees, but I always thought my company was fucking stupid for letting them purchase those machines with no backup for if their network card failed. Turned out this was a much worse situation.
All that said, if you aren't using wifi to connect to the network, turn the damn thing off.
> I understand wanting to save a few bucks times dozens of employees, but I always thought my company was fucking stupid for letting them purchase those machines with no backup for if their network card failed. Turned out this was a much worse situation.
That's not exactly a difficult situation. Get an external wifi adapter. They're currently $10-$20 on Amazon.
You don't need to invest in exotic preparation for a problem that is so trivial to fix when it arises.
The real news is that the wifi didn't use 2FA like the rest of the system.
It's a scary thing as all you have to do is add one decision, one ignorant person and it's bad news.
I've worked in orgs where we made big leaps in security, very proud of our work. Then one ignorant person who had the authority made a decision with no valid benefit to anyone, completely compromised everything.
Seen it time and again.
Not sure if that was the case as far as the credentials went in this situation, but it always seems to be the human element as far as curious choices goes.
This would be nothing new, I remember ages ago in the days of WEP that you could buy a small box that would collect enough handshakes to let you crack the WEP password.
The timeline here for the entire sequence of events is 1-2 weeks.
This is the kind of hackery I'd enjoy seeing in a blockbuster movie.
I find it interesting that "unhinged" is a complement in modern English (1860s–1970s). Ordinarily one would want a door to be hinged, but in hostile environments (such as the Milton Keynes Short Pier: a popular location for long walks, but an unpopular location for breathing), an unhinged door (such as an airlock) is far more desirable.
Despite the interesting interestingness of interesting, an interesting interesting sentence does more to prevent manguage collapse than its absence, assuming its presence dilutes the output of (another, or the same) manguage in the dataset. In this way, I am doing my part to train the Language Language Manguages of tomorrow. (I am not sure how I feel about this interesting suppository.) I also find it interesting that interesting is an interesting word.
Tomorrow interesting will be interesting.