In a joint cybersecurity advisory released October 10th, 2024, the FBI, NSA, UK NCSC, and other Western intelligence agencies warned that Russia’s Foreign Intelligence Service (SVR) continues to successfully breach private sector and government networks worldwide using a combination of traditional network attacks and concerning new wireless intrusion techniques.
The Wireless Vulnerabilities
The advisory highlights 24 specific vulnerabilities that network defenders should remediate to protect themselves against active exploitation from SVR (also known as APT-29, Midnight Blizzard, and Cozy Bear). While many of the highlighted CVEs target traditional network infrastructure like Microsoft Exchange Server and Apache, three vulnerabilities specifically enable wireless attacks that can compromise devices without requiring direct network access:
1. The agencies highlight CVE-2023-24023, a vulnerability in Bluetooth pairing that allows attackers within wireless range to conduct man-in-the-middle attacks, downgrade encryption, and potentially intercept or inject communications between Bluetooth devices.
2. The alert also suggests the SVR is exploiting CVE-2023-45866, a vulnerability that lets attackers within proximity of Bluetooth keyboards inject keystrokes and execute arbitrary commands on the connected computer – essentially giving them remote control of the machine through its wireless peripherals.
3. Third, and perhaps most concerning, is CVE-2023-40088, which enables remote code execution on Android devices through a “proximal/adjacent” Bluetooth attack without requiring any user interaction. This vulnerability means attackers only need to launch attacks from wireless transmitting devices within range of their target, not necessarily connected to the target’s network.
Attacker Strategy
The intelligence agencies note that SVR hackers are performing both targeted and opportunistic compromises of organizations by combining exploitation of traditional tactics like password spraying, supply chain compromise, and cloud account takeover with newer tactics. This hybrid approach lets them breach networks through conventional means and exploit wireless devices. The most concerning is how threat actors could hybridize these attacks – all of APT-29’s other profiled tactics are remote. As another Russian state-affiliated actor, APT-28, has shown with their Nearest Neighbor Attack, attackers thousands of miles away and outside an organization’s network security perimeter can control those devices launching wireless attacks remotely. Investigators found APT-28 remotely compromised the networks of nearby buildings and then launched wireless attacks from the devices on those neighboring networks. The alert does not specify that this is what APT-29 is doing. However, a joint cybersecurity advisory telling organizations around the globe to patch three separate proximal/adjacent wireless attack vectors suggests APT-29 can exploit these wireless attacks at scale.
“This activity is a global threat to the government and private sectors and requires thorough review of security controls, including prioritizing patches and keeping software up to date,” said Dave Luber, NSA’s Cybersecurity Director. The advisory states that SVR has “consistently targeted US, European, and global entities in the defense, technology, and finance sectors.”
The agencies strongly recommend organizations patch these vulnerabilities immediately, implement multi-factor authentication wherever possible, audit cloud accounts regularly, and, notably, “baseline authorized devices and apply additional scrutiny to systems accessing network resources that do not adhere to the baseline.” This recommendation suggests organizations need better visibility into what wireless devices are actually present in their facilities, not just what’s officially connected to their networks.
Why Wireless Airspace Defence
In the alert, the authoring agencies “recommend testing your existing security controls to assess how they perform against the techniques described in this advisory,” three of which are wireless attack techniques.
Intelligence agencies have recently started highlighting other Russian hacking groups exploiting wireless vulnerabilities. In June 2024, the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services released a cyber advisory on the Qilin Ransomware Group, which listed MITRE ATT&CK “T1011.001 – Exfiltration Over Other Network” as one of its tactics. Cybersecurity firm Volexity reported on the Nearest Neighbor Attack mentioned above in November 2024.
How To Protect Your Wireless Airspace
Organizations should review the full advisory for a complete list of vulnerabilities and detailed mitigation guidance. The key takeaway is that network defenders can no longer focus solely on protecting network perimeters – they must also actively monitor and secure the wireless airspace around their facilities, as sophisticated adversaries are increasingly exploiting these invisible attack vectors.
Contact Bastille today to learn how your organization can protect against these and other wireless vulnerabilities.
NSA Issues Updated Guidance on Russian SVR Cyber Operations > National Security Agency/Central Security Service > Press Release View
Russian APT’s “Nearest Neighbor Attack” Reveals Critical Security Gap: An Organization’s Wireless Airspace – Bastille
https://media.defense.gov/2024/Oct/09/2003562611/-1/-1/0/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF
