Author: Joseph Salazar

Wireless communication has become the backbone of modern connectivity, but its ubiquity brings an ever-growing set of vulnerabilities. The latest data highlights an alarming trend: the number of wireless-related Common Vulnerabilities and Exposures (CVEs) continues to increase annually.

The chart below shows that the cumulative count of wireless-related CVEs has skyrocketed since tracking began in 1998. A staggering 716 new wireless CVEs appeared in 2024 alone, accounting for 20% of all wireless-related CVEs recorded over the past 27 years. That is a one-fifth increase in known wireless vulnerabilities in just one year.

This sharp increase underscores a key challenge in cybersecurity: what we know is only the tip of the iceberg. Published CVEs represent vulnerabilities researchers have identified, documented, and disclosed to the public. However, they have yet to uncover many more vulnerabilities, some already known to malicious actors who exploit them before they are publicly acknowledged or patched.

Complexity Breeds Vulnerability

Why are we seeing this exponential growth in wireless vulnerabilities? One major factor is the increasing complexity of wireless protocols and systems. Wireless specifications become more intricate as technology evolves to support new use cases, such as the Internet of Things (IoT), smart cities, and advanced industrial automation. Each layer of added complexity introduces potential new attack vectors.

Consider the technologies driving this growth:

• Wi-Fi: The backbone of personal and corporate wireless connectivity continues to evolve, but each iteration brings new vulnerabilities.
• Bluetooth: Although Bluetooth is ubiquitous in consumer devices, its vulnerabilities have risen sharply as more critical applications leverage it.
• Cellular: As 5G networks expand and new protocols develop, the attack surface for cellular vulnerabilities grows alongside them.
• Zigbee and Other IoT Protocols: With IoT devices proliferating across homes, businesses, and industries, attackers increasingly target protocols like Zigbee.

These technology interactions and the integration into increasingly complex ecosystems create a perfect storm for vulnerabilities to thrive.

For every published CVE, countless others may lurk beneath the surface, unknown to researchers but actively exploited by malicious actors. These zero-day vulnerabilities pose significant risks, particularly to organizations that rely on wireless communication for mission-critical operations. The stakes are higher than ever, from corporate data centers to industrial control systems.

Mitigating the Threat

The accelerating pace of CVE growth highlights the need for proactive measures to secure wireless environments. Organizations must:

1. Adopt Continuous Monitoring: Implement systems that provide 100% passive wireless monitoring, like Bastille’s solution, to detect and mitigate threats in real-time without disrupting operations.
2. Prioritize Patch Management: Ensure timely updates to address known vulnerabilities, primarily as new CVEs are published.
3. Invest in Threat Intelligence: Stay ahead of emerging threats by leveraging threat intelligence to understand the evolving landscape.
4. Embrace Zero Trust Architecture: Apply zero trust principles to wireless networks, limiting access and verifying all connections.

How Bastille Can Help

Bastille Networks offers a comprehensive solution to tackle the growing threat of wireless vulnerabilities. By providing 100% passive monitoring, Bastille ensures that organizations can detect and analyze wireless threats without introducing additional risks or disruptions.

Key features of Bastille’s platform include:

• Real-Time Threat Detection: Bastille’s system identifies wireless anomalies and potential attacks as they happen, enabling organizations to respond immediately.
• Comprehensive Coverage: The platform monitors all major wireless protocols, including Wi-Fi, Bluetooth, cellular, and IoT standards like Zigbee, offering a unified view of the wireless threat landscape.
• Granular Insights: Bastille provides detailed information about detected vulnerabilities, empowering security teams to investigate and mitigate risks effectively.
• Scalability and Flexibility: Designed to integrate seamlessly into diverse environments, Bastille supports a wide-ranging set of use cases, from corporate networks to industrial systems.

With Bastille’s solution, organizations gain unparalleled visibility into their wireless environments. This visibility allows them to uncover and address vulnerabilities before attackers exploit them. In an era of accelerating wireless CVEs, Bastille equips businesses with the tools to stay ahead of the curve.

Looking Ahead

As wireless technology evolves, so do its vulnerabilities. The exponential growth of CVEs underscores a critical reality: we must stay vigilant and proactive in addressing known and unknown threats. Complexity may breed vulnerability, but through continuous innovation and robust security practices, we can mitigate the risks and ensure that wireless communication is a secure cornerstone of modern life.

Let’s continue the conversation. What steps is your organization taking to secure its wireless ecosystem in the face of these growing threats?

Organizations today depend on wireless technologies such as Wi-Fi, Bluetooth, and cellular networks to maintain seamless operations. As wireless communication continues to expand, so do the associated security challenges. Many organizations rely on network-based controls, including Network Access Control (NAC), logs, and inventory scans, to protect sensitive data and network integrity. While these solutions are necessary for mitigating particular Wi-Fi threats, they lack the broad coverage and real-time threat mitigation capabilities of Wireless Airspace Defense solutions like Bastille.

The Role of Network-Based Controls in Wi-Fi Security

Organizations have widely deployed network-based security controls to regulate access and manage security risks associated with corporate networks. These solutions provide a fundamental layer of protection in mitigating threats within managed network infrastructure.

Network Access Control (NAC)

NAC systems enforce security policies by controlling which devices can connect to an organization’s network. NAC solutions can:

• Restrict access to unauthorized or non-compliant devices.
• Enforce authentication and endpoint security policies.
• Detect and quarantine suspicious network activity.

While NAC helps prevent unauthorized access, its scope is limited to known devices and trusted networks. It does not address threats from rogue wireless signals outside the managed infrastructure, such as unauthorized Wi-Fi hotspots or Bluetooth attacks.

Logs and Inventory Scans

Logs and inventory scans provide organizations with valuable insights into network activity. They help security teams:

• Track device connections and user behavior.
• Identify anomalies that may indicate a security threat.
• Maintain an inventory of all network-connected devices for compliance purposes.

However, these solutions rely on post-event analysis, making them reactive rather than proactive. Traditional network logs may never detect a breach if an attacker uses a rogue access point or cellular network to infiltrate a network.

The Limitations of Network-Based Controls

While NAC, logs, and inventory scans provide essential security measures, they fail to offer comprehensive protection against modern wireless threats. Traditional network security tools focus on traffic within the managed infrastructure, often ignoring unauthorized devices operating outside but still posing a risk. Wi-Fi, Bluetooth, and cellular-based attacks can occur outside the monitored network perimeter but target internal systems or devices while avoiding standard network security measures. Attackers frequently bypass NAC and logs by using these wireless technologies.

A recent example of such a threat involved a large financial services company that deployed Bastille’s Wireless Airspace Defense solution at one of its data halls, which processes millions of dollars in daily transactions. After deployment, the Bastille system discovered and addressed several minor security issues and made one significant finding.

Bastille detected a device moving around the facility with a non-corporate Wi-Fi Access Point name on at least four occasions during the month. Each time it appeared, a device in one of the server cabinets immediately connected to it for an average of sixty-two minutes, enabling sustained communication between a data hall server rack and an unauthorized personal device. Bastille also detected cellular activity in the area, creating a data exfiltration path and potentially compromising the sensitive financial data on those servers.

This finding highlights the risks that organizations have regarding wireless communication. The wireless intrusion that occurred four times during the month went unnoticed in a data center fortified against physical breaches with extensive network security. The fact that a device in a server cabinet connected and transmitted data to another device is a security issue in itself. The ability of this Access Point to connect to the outside world via cellular networks for instant data exfiltration is even more alarming. This incident exemplifies how invisible and undetected connections can become unguarded gateways, putting valuable digital assets at risk.

The Need for Wireless Airspace Defense

Organizations must implement wireless airspace defense solutions to address the challenges of modern wireless threats. These solutions provide real-time, full-spectrum monitoring to detect unauthorized or rogue devices operating outside the managed infrastructure. Unlike traditional network-based controls, they cover a wider range of threats across Wi-Fi, Bluetooth, cellular, and IoT networks.

Why Wireless Airspace Defense is Essential

• Expanding Attack Surface: As more devices rely on wireless connectivity, organizations face increasing threats, from unauthorized IoT devices to malicious cellular hotspots.
• Protection Beyond Perimeter-Based Security: Wireless threats originate from external actors and internal vulnerabilities, including employees inadvertently connecting to unsafe networks or using personal hotspots.
• Real-Time, Proactive Security: Unlike NAC and logs, which react after an event, wireless airspace defense actively monitors and detects anomalies before they escalate into full-scale breaches.
• Detection of Covert Wireless Channels: Attackers often exploit lesser-known frequencies to bypass security measures. Wireless airspace defense solutions monitor a wide range of the RF spectrum, identifying threats traditional tools overlook.
• Compliance and Risk Mitigation: Industries with strict regulatory requirements (such as finance, healthcare, and government) need enhanced security solutions to maintain compliance and prevent breaches that could lead to severe financial and reputational damage.

Bastille Wireless Airspace Defense

Bastille is the leading provider of wireless airspace defense. Bastille provides a 100% passive monitoring system offering unparalleled visibility into the wireless spectrum and detecting threats beyond the managed network infrastructure.

Key Advantages of Bastille Wireless Airspace Defense

1. Full-Spectrum Wireless Monitoring: Unlike NAC and logs, Bastille detects threats across Wi-Fi, Bluetooth, cellular, and IoT networks, covering the entire RF spectrum from 100 MHz to 7.125 GHz.
2. Real-Time Threat Detection: Bastille monitors unauthorized devices and anomalous wireless activity, allowing security teams to respond proactively before an attack escalates.
3. Unauthorized Device Location Tracking: Bastille pinpoints the physical location of rogue wireless devices, enabling organizations to take immediate action against potential threats.
4. Protection Against Insider and External Threats: Whether an employee unknowingly connects to a malicious Bluetooth device or an external attacker sets up a rogue access point, Bastille’s solution ensures these threats are detected and mitigated.
5. Enhanced Security for Air-Gapped Environments: Even in highly secure, air-gapped environments, Bastille detects unauthorized wireless transmissions that adversaries could use for espionage or data exfiltration.

Conclusion

While network-based controls like NAC, logs, and inventory scans remain essential for managing and mitigating specific Wi-Fi threats, they fail to address the full spectrum of modern wireless security risks. Wireless airspace defense solutions like Bastille complement traditional network security by providing real-time, full-spectrum threat detection, ensuring that organizations remain protected against known and unknown wireless threats. By incorporating Bastille Wireless Airspace Defense, organizations can significantly enhance their security posture, safeguarding their infrastructure from evolving threats in today’s wireless-dependent world.

In the modern corporate environment, Bluetooth Low Energy (BLE) is increasingly common in wireless communications for IoT devices, medical equipment, and consumer electronics. People come into the office wearing fitness trackers, wireless headphones, and hearing aids. However, while BLE is convenient for its power savings, ease of use, and efficient data transfer, it introduces vulnerabilities that attackers can exploit to exfiltrate sensitive data from BLE-enabled devices. Bastille Networks provides comprehensive protection against these threats by detecting, identifying, and mitigating BLE-based attacks, including those designed to exfiltrate data.

The BLE Threat Landscape

Attackers and researchers have exploited or demonstrated several notable BLE in real-world scenarios, highlighting their potential for data exfiltration. The following non-exhaustive list enumerates several recent attacks and proof-of-concept demonstrations that show the potential threat of BLE devices to the enterprise network.

BlueBorne Attack (2017)

The BlueBorne attack leverages vulnerabilities that allow attackers to target Bluetooth-enabled devices without pairing or user interaction. It exploited flaws in the Bluetooth protocol stack, specifically in how devices processed incoming Bluetooth connections. Attackers could spread the attack over the air, gaining remote control over devices, including smartphones, laptops, and IoT devices. Attackers could execute arbitrary code, gaining access to sensitive data like emails, files, and communications. The attack affected billions of devices and required no user interaction. In a proof-of-concept demonstration, researchers took control of Android devices and intercepted user communications, displaying BlueBorne’s potential for data exfiltration.

BLEEDINGBIT (2018)

The BLEEDINGBIT vulnerabilities affected Texas Instruments’ BLE chips in enterprise-grade Wi-Fi access points. These vulnerabilities allowed attackers to execute code remotely on the target device, which they could use to compromise the network the device connected to.

By gaining a foothold in the network, an attacker could use compromised access points to exfiltrate sensitive or privileged data. BLEEDINGBIT allowed attackers to implant backdoors or bypass memory protection mechanisms. Researchers showed that attackers could also use compromised access points to infiltrate secure networks, potentially leading to business communications and credentials theft.

SweynTooth (2020)

SweynTooth is a collection of vulnerabilities that impacted BLE systems, including multiple IoT and medical devices. These vulnerabilities allowed attackers to trigger crashes, bypass security features, and sometimes gain unauthorized access to sensitive data. SweynTooth affected devices like pacemakers and smart home products, with attackers able to bypass encryption and access personal or medical information.  Researchers demonstrated how attackers could turn off security in BLE-enabled medical devices, potentially accessing sensitive health records.

BLESA (2020)

BLESA exploits flaws in the BLE reconnection process, allowing attackers to spoof previously trusted devices, bypass authentication, and access sensitive data. The attack allows the impersonation of legitimate devices, such as fitness trackers, enabling unauthorized access to personal data during BLE communication. In a proof-of-concept, researchers spoofed connections to fitness trackers and medical devices, gaining access to personal data without user interaction.

NCC Group’s Bluetooth Attack on Tesla Key Fobs (2022)

Researchers from NCC Group exploited a vulnerability in the BLE protocol to unlock and start Tesla cars by relaying signals between the vehicle and the key fob. This attack bypassed proximity-based security measures, highlighting risks in BLE authentication systems. While focused on vehicle access, similar attacks could lead to data exfiltration in other BLE-enabled systems. Researchers demonstrated the attack successfully on Tesla Model 3 and Model Y vehicles, highlighting BLE relay vulnerabilities.

BrakTooth (2021)

BrakTooth affected Bluetooth stacks in millions of consumer devices, allowing remote code execution and denial-of-service attacks. Although primarily designed to disrupt device operations, attackers could use BrakTooth to gain control of devices, potentially leading to data theft. Researchers triggered crashes and remote code execution on Bluetooth-enabled smartphones and laptops, demonstrating how attackers could exploit BrakTooth for data exfiltration.

Bastille Networks Solution

Bastille’s technology uses advanced software-defined radios (SDRs) to continuously monitor the radio spectrum, detecting anomalies and unauthorized BLE activity. By identifying devices attempting unauthorized connections or data transmission, Bastille can stop data exfiltration before it occurs.

Bastille extends visibility beyond BLE, covering Bluetooth classic (BT), Wi-Fi, cellular, and other wireless protocols. This integrated approach ensures the solution can detect sophisticated attacks by combining multiple wireless technologies. Bastille can see advertising BLE devices and an established data connection between paired BLE devices. Bastille can accurately identify devices based on their RF signature, distinguishing between trusted and untrusted devices. This capability is crucial in detecting spoofed BLE devices, such as in BLESA attacks, where attackers impersonate legitimate devices.

When the solution detects suspicious activity, Bastille generates immediate alerts and can automatically trigger defensive actions, such as disconnecting malicious devices or isolating them from sensitive systems. Bastille’s solution integrates seamlessly with existing enterprise security systems, providing detailed insights into wireless threats and ensuring that security teams address BLE vulnerabilities, such as those found in BLEEDINGBIT or BrakTooth, within the broader security architecture.

Conclusion

As BLE becomes increasingly integrated into business operations and the enterprise environment, the potential for data exfiltration via wireless vulnerabilities grows. Bastille Networks offers a comprehensive solution to detect, identify, and neutralize these threats, ensuring that sensitive data remains secure. Whether defending against established vulnerabilities like BlueBorne and BLEEDINGBIT or emerging threats like SweynTooth and BrakTooth, Bastille provides unmatched protection for BLE-enabled environments.

What You Need to Know About Apple’s Latest Security Update

Apple has released crucial security updates to address multiple vulnerabilities in AirPlay, the company’s widely used wireless media-sharing protocol. The Oligo Security research team identified these vulnerabilities, which pose significant risks, including denial-of-service (DoS) attacks and Remote Code Execution (RCE), which could allow attackers to gain unauthorized control over devices.

Understanding the Impact

The discovered vulnerabilities impact a broad range of Apple platforms, including:

• macOS (MacBooks, iMacs, and Mac Mini)
• iOS (iPhones)
• iPadOS (iPads)
• watchOS (Apple Watch)
• tvOS (Apple TV)
• visionOS (Apple Vision Pro)

Severity of the Exploit

Oligo uncovered five critical vulnerabilities, each targeting different aspects of AirPlay’s communication and memory-handling mechanisms. These flaws could allow attackers to:

• Take complete control of affected devices – Attackers could execute arbitrary code remotely, allowing them to manipulate or exfiltrate user data.
• Repeatedly crash the AirPlay service – Disrupting media streaming or device functionality through DoS attacks.
• Execute malicious code remotely – Threat actors could send specially crafted packets over the network to trigger a system compromise.
• Corrupt process memory – Leading to unstable system behavior, potential data leaks, or full system crashes.

Technical Breakdown: The Identified Vulnerabilities

Apple has assigned the following CVE identifiers to the vulnerabilities, highlighting their severity:

• CVE-2025-24126 – Input Validation Flaw: Improper input validation within AirPlay could allow malicious packets to cause system termination or memory corruption.
• CVE-2025-24129 – Type Confusion Vulnerability: Attackers on the same network could exploit this issue to crash applications or execute arbitrary code remotely.
• CVE-2025-24131 – Memory Handling Weakness: A denial-of-service (DoS) vulnerability that attackers in privileged network locations could trigger.
• CVE-2025-24177 – Null Pointer Dereference: Sending malformed AirPlay requests could cause devices to crash repeatedly.
• CVE-2025-24137 – Remote Code Execution (RCE) via Type Confusion: This critical flaw could allow attackers to gain persistent remote access to the device.

Mitigation: How to Protect Your Devices

Given the severity of these vulnerabilities, users should take immediate action to secure devices and networks:

• Install Apple’s Latest Security Updates – Ensure all iPhones, iPads, Macs, Apple TVs, Watches, and Vision Pro devices are on the latest OS versions.
• Disable AirPlay (if unnecessary) – Users who do not frequently use AirPlay should turn off the AirPlay Receiver function to reduce exposure.
• Restrict Network Access – Configure firewalls to limit AirPlay communication (Port 7000) to trusted devices only.
• Tighten AirPlay Access Controls – Change AirPlay settings to “Current User Only” to prevent unauthorized connections.

Beyond Patching: The Need for Wireless Threat Detection

While Apple’s patches address these vulnerabilities, they highlight a broader issue: wireless attack vectors remain a critical security blind spot. Organizations cannot rely solely on patching because:

• Zero-Day Threats Are Increasing – Attackers exploit unknown weaknesses before patches become available.
• Wireless Attacks Are Hard to Detect – Traditional security tools cannot see RF-based threats in the environment.
• Unpatched & Unpatchable Devices Exist – Some enterprise environments cannot update all devices immediately, leaving security gaps.

How Bastille Helps Organizations Secure Their Wireless Airspace

Bastille’s Wireless Airspace Defense platform provides continuous, real-time RF monitoring to detect and respond to anomalous wireless activity, even when attackers exploit unknown vulnerabilities. By analyzing radio frequency (RF) transmissions across 25 MHz to 7.125 GHz, Bastille can:

• Detect Unauthorized Wireless Signals – Identify rogue devices attempting to exploit AirPlay and other wireless vulnerabilities.
• Monitor for AirPlay Exploits – Alert security teams if suspicious AirPlay transmissions occur in the environment.
• Identify and Track Wireless Threats – Locate and mitigate unauthorized RF-based attacks targeting corporate networks.

Final Thoughts

The newly discovered AirPlay vulnerabilities reinforce the importance of proactive wireless security. Organizations must move beyond traditional network defenses and adopt RF-based threat detection to safeguard against attacks leveraging unpatched wireless vulnerabilities. By integrating Bastille’s Wireless Airspace Defense, enterprises can gain complete visibility into wireless threats in their environment, ensuring their networks remain secure even when vulnerabilities emerge in widely used protocols like AirPlay.

On December 17, 2024, Brian Contos spoke with Brett Walkenhorst, Bastille Networks’s Chief Technology Officer, recording a quick Ask Me Anything video about the recent wireless attack that Veloxity disclosed.

The conversation explores the “Nearest Neighbor Attack,” an innovative wireless attack strategy highlighting how attackers bypass traditional proximity-based security assumptions. It delves into the attack’s mechanics and implications and discusses how Bastille Networks’ solutions address these challenges.

Volexity states, “The Nearest Neighbor Attack effectively amounts to a close access operation, but the risk of being physically identified or detained has been removed. This attack has all the benefits of being in close physical proximity to the target while allowing the operator to be thousands of miles away.”

The Nearest Neighbor Attack exemplifies the ingenuity and persistence of modern cyber adversaries. It underscores the need for comprehensive wireless security solutions like Bastille Networks, which provide visibility, detection, and actionable responses to mitigate these evolving threats. By integrating seamlessly with existing systems, Bastille addresses critical gaps in wireless security and helps organizations stay ahead of attackers.

Watch the video to hear the full discussion.

A recent industrial espionage case in South Korea highlights how insider threats can leverage physical and wireless vulnerabilities to exfiltrate highly sensitive intellectual property. The incident, which South Korean prosecutors value at over $180 million in damages, demonstrates why organizations need comprehensive visibility into all potential data exfiltration channels, including personal cell phones.

The Incident

The Seoul Eastern District Prosecutors’ Office indicted a former Samsung Display researcher for allegedly stealing trade secrets related to automated factory operations and leaking them to a Chinese competitor. The researcher, who lived in China for Samsung Display, is accused of photographing at least 17 key documents for Samsung’s Digital Display IP and transmitting them directly to Chinese firm employees between November 2021 and May 2022.

The Security Gaps

This case exposes several critical vulnerabilities that many organizations still struggle to address:

1. Unauthorized Data Transmission: The suspect photographed and transmitted sensitive data directly to external parties without detection, using their mobile device, thus bypassing traditional network monitoring.
2. Physical-Digital Convergence: The attacker exploited the gap between physical security controls and digital security monitoring by photographing confidential information and wirelessly transmitting it.
3. Prolonged Exfiltration: The continuous data transmission over several months suggests a capability gap to detect anomalous wireless activity within secure areas.

The Impact

Prosecutors estimate the economic damage at 241.2 billion won (approximately $180 million), and experts suggest the technological gap created by this leak represents about ten years of R&D advantage. More concerning, during a May 2024 search of the employee’s residence, investigators discovered additional trade secrets beyond the 17 photographs that earlier investigations had missed.

Key Lessons for CISOs

This incident underscores why modern security programs must:

• Monitor all potential data exfiltration vulnerabilities, including the proximity of personal phones to restricted areas with sensitive information. 
• Maintain continuous visibility into wireless device activity within sensitive areas.
• Deploy solutions that can detect anomalous wireless transmissions in real-time.
• Correlate physical and digital security data for more effective threat detection.

The ability to detect and prevent wireless data exfiltration is no longer optional – it’s a critical requirement for protecting intellectual property in today’s threat landscape. Organizations must ensure complete visibility into their wireless airspace to identify potential insider threats before critical data leaves the building.

In a joint cybersecurity advisory released October 10th, 2024, the FBI, NSA, UK NCSC, and other Western intelligence agencies warned that Russia’s Foreign Intelligence Service (SVR) continues to successfully breach private sector and government networks worldwide using a combination of traditional network attacks and concerning new wireless intrusion techniques.

The Wireless Vulnerabilities

The advisory highlights 24 specific vulnerabilities that network defenders should remediate to protect themselves against active exploitation from SVR (also known as APT-29, Midnight Blizzard, and Cozy Bear). While many of the highlighted CVEs target traditional network infrastructure like Microsoft Exchange Server and Apache, three vulnerabilities specifically enable wireless attacks that can compromise devices without requiring direct network access:

1. The agencies highlight CVE-2023-24023, a vulnerability in Bluetooth pairing that allows attackers within wireless range to conduct man-in-the-middle attacks, downgrade encryption, and potentially intercept or inject communications between Bluetooth devices.

2. The alert also suggests the SVR is exploiting CVE-2023-45866, a vulnerability that lets attackers within proximity of Bluetooth keyboards inject keystrokes and execute arbitrary commands on the connected computer – essentially giving them remote control of the machine through its wireless peripherals.

3. Third, and perhaps most concerning, is CVE-2023-40088, which enables remote code execution on Android devices through a “proximal/adjacent” Bluetooth attack without requiring any user interaction. This vulnerability means attackers only need to launch attacks from wireless transmitting devices within range of their target, not necessarily connected to the target’s network.

Attacker Strategy

The intelligence agencies note that SVR hackers are performing both targeted and opportunistic compromises of organizations by combining exploitation of traditional tactics like password spraying, supply chain compromise, and cloud account takeover with newer tactics. This hybrid approach lets them breach networks through conventional means and exploit wireless devices. The most concerning is how threat actors could hybridize these attacks – all of APT-29’s other profiled tactics are remote. As another Russian state-affiliated actor, APT-28, has shown with their Nearest Neighbor Attack, attackers thousands of miles away and outside an organization’s network security perimeter can control those devices launching wireless attacks remotely. Investigators found APT-28 remotely compromised the networks of nearby buildings and then launched wireless attacks from the devices on those neighboring networks. The alert does not specify that this is what APT-29 is doing. However, a joint cybersecurity advisory telling organizations around the globe to patch three separate proximal/adjacent wireless attack vectors suggests APT-29 can exploit these wireless attacks at scale.

“This activity is a global threat to the government and private sectors and requires thorough review of security controls, including prioritizing patches and keeping software up to date,” said Dave Luber, NSA’s Cybersecurity Director. The advisory states that SVR has “consistently targeted US, European, and global entities in the defense, technology, and finance sectors.”

The agencies strongly recommend organizations patch these vulnerabilities immediately, implement multi-factor authentication wherever possible, audit cloud accounts regularly, and, notably, “baseline authorized devices and apply additional scrutiny to systems accessing network resources that do not adhere to the baseline.” This recommendation suggests organizations need better visibility into what wireless devices are actually present in their facilities, not just what’s officially connected to their networks.

Why Wireless Airspace Defence

In the alert, the authoring agencies “recommend testing your existing security controls to assess how they perform against the techniques described in this advisory,” three of which are wireless attack techniques. 

Intelligence agencies have recently started highlighting other Russian hacking groups exploiting wireless vulnerabilities. In June 2024, the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services released a cyber advisory on the Qilin Ransomware Group, which listed MITRE ATT&CK “T1011.001 – Exfiltration Over Other Network” as one of its tactics. Cybersecurity firm Volexity reported on the Nearest Neighbor Attack mentioned above in November 2024.

How To Protect Your Wireless Airspace

Organizations should review the full advisory for a complete list of vulnerabilities and detailed mitigation guidance. The key takeaway is that network defenders can no longer focus solely on protecting network perimeters – they must also actively monitor and secure the wireless airspace around their facilities, as sophisticated adversaries are increasingly exploiting these invisible attack vectors.

Contact Bastille today to learn how your organization can protect against these and other wireless vulnerabilities.

 NSA Issues Updated Guidance on Russian SVR Cyber Operations > National Security Agency/Central Security Service > Press Release View 
 Russian APT’s “Nearest Neighbor Attack” Reveals Critical Security Gap: An Organization’s Wireless Airspace – Bastille
https://media.defense.gov/2024/Oct/09/2003562611/-1/-1/0/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF

Joint reports from Microsoft Threat Intelligence and Black Lotus Labs disclose details of a years-long hacking campaign by the Russian FSB-linked group Secret Blizzard. Through a sophisticated multi-stage campaign, the group successfully compromised and repurposed Pakistani cyber operations infrastructure in Afghanistan and Indian networks, through a sophisticated multi-stage campaign.

The Heart of The Investigation: Hardware Hack

While tracking the activity of Pakistani state-affiliated group “Storm-0156”, Black Lotus Labs researchers discovered a C2 server designed to control a suite of deployed Hak5 commercial pen-testing devices remotely. Hak5 sells a variety of disguised penetration testing implant tools that rely on wireless or physical device access to compromise a target. Many of these tools have independent wireless antennas that allow remote C2 control via Hak5 software. Researchers observed Storm-0156’s server (with Hak5’s Commercial C2 Software Banner) with incredibly high data flow from several targets, including the Indian Ministry of Foreign Affairs office in Europe, an Indian national defense organization, and several other government bodies. This activity suggests that Storm-0156 had deployed Hak5 implants on these networks. Black Lotus Labs researchers assume that the group chose Hak5 devices because of the advantage of this attack vector: these wireless and close-access attacks bypass standard EDR/XDR protections. 

The Russian Takeover

What came next was surprising: Every Storm-0156 C2 node used in this operation began communicating with 3 VPS IPs associated with the Russian FSB-linked group “Secret Blizzard” (also known as Turla). As the investigation of Storm-0156’s campaigns progressed, researchers discovered Russia’s Secret Blizzard had compromised 33 command-and-control server nodes used for their Indian and Afghanistan cyber operations campaigns.

Expansion of Operations

The Russian actors didn’t stop at simply monitoring Pakistani operations. By mid-2023, they had:

• Infiltrated Pakistani operators’ workstations
• Deployed their custom malware (“TwoDash” and “Statuezy”) into the networks of the Afghan Government Ministry and Intelligence Agencies
• Acquired control of additional hacking tools used by other threat actors, including “Waiscot” and “CrimsonRAT”
• Began retargeting Indian networks compromised by Storm-0156

Impact:

While current reports do not disclose further details on Secret Blizzard’s recent campaigns, they already highlight some key strategic implications.

Until the recent Nearest Neighbor Attack alerted the world to the reality of remote wireless attacks, cybersecurity professionals had discounted their organization’s wireless and cyber-physical vulnerabilities. Despite these attacks having many inherent advantages in avoiding EDR/XDR detection, organizations tolerated an increasing debt of wireless and cyber-physical vulnerabilities because they assumed attackers needed “Close Access” to exploit them. The events of 2024 have made clear, however, that attackers are actively leveraging an organization’s lack of wireless airspace visibility in their attack strategy. In the past 6 months, reports on Qilin group, APT-28, APT-29, and Storm-0156 have profiled their use of wireless attack vectors in cyber operations. As we see from the compromised C2 server in this attack, or APT-28’s Nearest Neighbor Attack, attackers can exploit these wireless vulnerabilities remotely.

How Bastille Can Help:

Bastille Networks’ Wireless Airspace Defense would 

• Immediately identify the location and anomalous connections of any Hak5 wireless device.
• Implement continuous wireless monitoring to detect unauthorized devices and connections
• Detect and locate all other wireless implants in real-time
• Create alerts for anomalous wireless behavior that could indicate compromised infrastructure
• Maintain comprehensive wireless device inventory

Now, more than ever, the ability to detect, locate, and raise alerts on unauthorized wireless devices and connections is a critical security requirement as adversaries increasingly leverage wireless attack methods to bypass traditional defenses.

Americans should stop unencrypted texting on their iPhones or Androids

Executive Summary

A confluence of troubling developments has emerged as U.S. officials reveal that Chinese state hackers remain deeply embedded in telecommunications systems. Meanwhile, due to the ongoing breach, the FBI and CISA have taken the unprecedented step of warning Americans to abandon standard text and voice messaging in favor of encrypted communications. This move represents a fundamental shift in how organizations approach personal and corporate wireless device security.

The Ongoing Breach

The Salt Typhoon breach of most U.S. telecommunications providers, initially disclosed to have targeted the presidential campaigns of both Donald Trump and Kamala Harris, now appears to be just a part of an ongoing “broad and significant cyber espionage campaign,” according to CISA Executive Assistant Director Jeff Greene.  Greene confirmed the telecommunications compromise is “ongoing and likely larger in scale than previously understood.” “We cannot say with certainty that the adversary has been evicted because we still don’t know the scope of what they’re doing,” said Greene. Senior FBI officials believe the investigation timeline to uncover Salt Typhoon’s full presence in these systems will be “measured in years.”

So far, the investigation has confirmed that attackers  gained access to:

• Individual voice call audio and text message content
• Bulk customer call metadata and communication patterns
• Law enforcement surveillance request data

FBI warns Americans to stop sending texts

In light of the ongoing breach, CISA and FBI officials have urged Americans to “use encrypted apps for all their communications.” In the press briefing, Greene added, “Our suggestion, what we have told folks internally, is not new here: encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.”

Enterprise IP Targeted

Following Tuesday’s media briefing, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, addressed reporters on Wednesday, stating they now believe that Chinese-state affiliated actors had, in addition to targeting people of political interest to the Chinese government, targeted key enterprise IP. “We believe this is intended as a Chinese espionage program focused, again, on key government officials, key corporate IP, so that will determine which telecoms were often targeted, and how many were compromised as well.” In the same address, Neuberger reiterated that Chinese-state affiliated actors are still in U.S. telecom networks and stated the breach has likely persisted for the last 1-2 years. Neuberger also revealed that officials now believe these attacks have impacted the telecommunications providers of multiple countries in the EU and the Indo-Pacific region, in addition to at least eight telco providers in the U.S.

Enterprise Impact Assessment

U.S. official’s broad warning of this breach’s potential impact on Americans exposes a critical enterprise security gap that demands immediate attention:

It doesn’t matter if it’s a personal or enterprise-controlled device. Smartphones record an incredible variety of information from their environment and transmit it over networks your organization does not control.

Organizations should establish policies to prevent personal or enterprise cell phones from being near sensitive information that could be (unknowingly) exfiltrated via the device’s voice, camera, or messaging capabilities.

1. Communication Security Organizations must reevaluate their wireless communication security, particularly:

• Executive communications protocols
• Sensitive business discussions
• Cross-border communications

2. Threat Detection Capabilities Traditional network monitoring may miss wireless-based threats, necessitating:

• Continuous wireless spectrum monitoring for real-time, precise wireless device location reporting integration into existing SIEM and physical security systems to enforce device policy near sensitive locations
• Real-time anomaly detection
• Enhanced visibility into wireless device behavior

Strategic Implications 

“We need to do some hard thinking long-term on what this means and how we’re going to secure our networks,” acknowledged CISA officials. This crisis represents more than just another data breach – it demonstrates fundamental vulnerabilities in how modern enterprises communicate.

The combination of compromised carrier networks and inherently insecure messaging platforms creates an urgent need for organizations to implement comprehensive wireless security monitoring. Without the ability to detect anomalous cellular activity, device presence, unauthorized connections, and potential compromises, enterprises remain blind to sophisticated attacks that bypass traditional security controls.

How Bastille Can Solve This Problem

Bastille Networks’ Wireless Airspace Defense Sensor Arrays allow organizations real-time visibility and anomaly reporting into the wireless devices transmitting in their environment. 

Bastille integrates into your existing SIEM solution and provides complete visibility alerting for:

• Unauthorized cellular devices that could be exfiltrating sensitive information
• Rogue access points that could intercept wireless traffic
• Bluetooth connections that could create unauthorized data channels
• Malicious wireless connections to your network infrastructure, like those seen with the recent APT28 Nearest-Neighbor attack

Contact Bastille today to learn how your organization can secure the vulnerabilities in your wireless airspace attack surface.