This report was processed and collated by the Elemendar CTI team and includes Mitre ATT&CK TTPS and IOCs collated from using one of our products; READ., an AI-driven Cybersecurity tool.
For further information or a demonstration of our products please visit our website: elemendar.ai If you want to get your PDF version please email us cti@elemendar.com Previous Threat Intelligence Updates can be found HERE.
A glossary for terms used in our reporting is available HERE.
Contents
Ghost Tap Attack Exploits NFC Mobile Payments for Financial Theft Alleged Cyberattack Disrupts UK Hospital Operations
Executive Summary
The Nearest Neighbor Attack: New Attack Vector for Russian APT
In November 2024 cybersecurity company Volexity detailed APT28’s "Nearest Neighbor Attack" (NNA), where the Russian GRU-linked group exploited corporate Wi-Fi remotely by compromising nearby organisations’ dual-homed devices. Using stolen credentials and tools like GooseEgg, APT28 accessed sensitive Ukraine-related data, highlighting their innovation in leveraging novel attack vectors for geopolitical objectives.
APT28’s attack showcases state-sponsored ingenuity, exploiting novel vectors for geopolitical goals, likely aiding Russia’s 2022 Ukraine invasion. While targeting specific sectors, broader use remains possible via underground forums.
Ghost Tap Attack Exploits NFC Mobile Payments for Financial Theft
Alleged Cyberattack Disrupts UK Hospital Operations
The Nearest Neighbor Attack: New Attack Vector for Russian APT
A report released in November 2024 by Cybersecurity company Volexity, details a new attack vector by APT28 dubbed the “Nearest Neighbor Attack” (NNA). The attack was first witnessed in February 2022 and targeted an organisation in Washington DC involved in Ukraine-related projects. The NNA enables remote exploitation of a corporate Wi-Fi network over long distances. In this case, APT28 is believed to have gained remote access to an espionage target's Wi-Fi by commandeering a laptop located in a neighbouring building.
Elemendar CTI Analyst comment: APT28 (aka Fancy Bear, Forest Blizzard, and GruesomeLarch), a Russian GRU-linked hacking group, is notorious for high-profile cyberattacks, including the 2016 DNC breach, Germany's Bundestag hack, NotPetya's global disruption, Olympic Destroyer malware, and ongoing espionage against NATO, Ukraine, and Western institutions, using TTPs like router exploits and phishing, the alleged intent to undermine geopolitical stability, harvest sensitive data, and support Russian strategic objectives. Comment Ends.
The attack began with a password-spraying campaign on the victim’s public-facing services to obtain valid credentials. Multi-factor authentication (MFA) prevented these credentials from being used online, but the enterprise Wi-Fi network only required a valid username and password for access, creating an exploitable gap. APT28 exploited this weakness but faced the challenge of being geographically distant from the target network.
To overcome this, the attackers breached nearby organisations within Wi-Fi range of the target. By compromising dual-homed devices (those with both Ethernet and Wi-Fi capabilities) in these organisations, APT28 gained access to the target’s enterprise Wi-Fi. Once connected, they authenticated using the stolen credentials and moved laterally through the victim’s network.
This daisy-chaining approach allowed the attackers to bypass physical proximity requirements traditionally associated with Wi-Fi breaches, effectively creating a remote close-access operation. Using tools like PowerShell and native Windows utilities, APT28 minimised their digital footprint while exfiltrating sensitive data.
Fig.1: NNA overview (source: Volexity)
Elemendar CTI Analyst comment: APT28 is believed to have used their access to the network to exfiltrate valuable information, targeting individuals involved in Ukraine-related projects. Comment Ends.
During the breach investigation, Volexity observed the following malicious activities and tools:
GooseEgg: A post-compromise tool used to escalate privileges and execute commands with SYSTEM-level access. GooseEgg exploited the CVE-2022-38028 Windows Print Spooler vulnerability, enabling attackers to deliver payloads, such as malicious DLLs, and escalate privileges.
Living-off-the-land techniques: APT28 relied on native tools like Cipher.exe for anti-forensic file deletion, VSSAdmin for creating volume shadow copies, and NetBIOS queries for network reconnaissance. These methods avoided deploying custom malware, reducing detection risks.
Data exfiltration: Registry hives and other sensitive files were compressed and staged for extraction. In some cases, data was uploaded to compromised public-facing web servers for external download.
Elemendar CTI Analyst comment: Initial attribution was challenging due to APT28's reliance on standard tools and methods. However, Microsoft later confirmed overlaps between Volexity’s findings and its own research on GooseEgg and CVE-2022-38028. This confirmed APT28 as the perpetrator. Comment Ends.
Elemendar Intelligence Assessment: This attack by APT28 demonstrates the capability and ingenuity of state sponsored threat actors and highlights their growing expertise in exploiting novel attack surfaces.
The delay in releasing the report from Veloxity is most likely due to security concerns surrounding where the information was harvested from. The data obtained likely served Russia's geopolitical interests in the lead-up to its 2022 invasion of Ukraine and is likely to have been used to understand Ukraine's capability and conduct influence operations prior to the invasion.
In this instance, the attack was aimed at either a government department or think tank, however this method could be applied to other verticals, however this is unlikely at present. Looking forward, there is a remote possibility that this technique could be made available through underground forums and attacks using this vector could be observed targeting all enterprises.. Assessment Ends.
Ghost Tap Attack Exploits NFC Mobile Payments for Financial Theft
Ghost Tap represents a new and sophisticated cash-out technique that threat actors use to exploit stolen credit card details linked to mobile payment systems like Apple Pay and Google Pay. Leveraging relayed Near Field Communication (NFC) traffic, this TTP enables cybercriminals to scale their operations while maintaining anonymity, posing significant challenges to financial institutions and retailers.
The attack begins with cybercriminals stealing payment card details and intercepting one-time passwords (OTPs) required for virtual wallet enrollment. These details are acquired through various methods:
Mobile Malware: Banking trojans with overlay or keylogging capabilities steal card details and intercept OTPs from SMS or push notifications.
Phishing Websites: Victims unknowingly submit their card details and OTPs on fake payment portals.
Once the card is linked to a mobile payment service, threat actors use the NFCGate tool to relay NFC traffic. This technique involves setting up a relay server to transmit payment data to money mules worldwide. These mules, equipped with NFC-enabled devices, conduct point-of-sale (POS) transactions at offline retailers. The attackers avoid ATM withdrawals, focusing instead on retail purchases, which are harder to trace.
Fig.2: Overview of the Ghost Tap tactic (Source: Threat Fabric)
Ghost Tap builds on earlier malware like NGate but introduces several advancements:
Geographical Obfuscation: Transactions occur across multiple locations, making it challenging to trace fraudsters.
Scalability: Multiple mules operate simultaneously, facilitating large-scale fraud.
Enhanced Anonymity: Cybercriminals use "airplane mode" to obscure the location of devices, complicating detection efforts.
This method allows cybercriminals to remain geographically distant from the crime scene while conducting fraudulent transactions efficiently and anonymously.
Ghost Tap's ability to mimic legitimate transactions makes it difficult for traditional anti-fraud mechanisms to detect. Common challenges include:
Legitimate Appearance: Transactions appear to originate from a single device, despite being relayed to multiple mules.
Small Payments: Fraudsters conduct numerous small transactions to avoid triggering detection thresholds.
Latency and Location Gaps: The physical absence of the cardholder’s device at POS terminals and the geographic disparity between transactions are difficult to detect without advanced monitoring systems.
To combat Ghost Tap, financial institutions should flag geographically improbable transactions (e.g., within minutes in New York and Cyprus), monitor device anomalies such as new card linkages paired with malware, detect NFC latency indicating potential relays, and encourage consumers to monitor bank statements and report suspicious activity promptly to minimise losses. Elemendar Intelligence Assessment: Ghost Tap highlights the exploitation of legitimate tools like NFCGate, initially designed for research purposes, and the transformation of academic research into practical fraud schemes. As security measures advance, threat actors continuously adapt by leveraging legitimate tools for malicious purposes, rendering traditional defence mechanisms increasingly insufficient to address the evolving threat landscape.
The increasing sophistication of NFC-based attacks underscores the growing interest of cybercriminals in exploiting mobile payment technologies. Cybercriminals increasingly exploit POS systems through sophisticated TTPs such as the use of relay servers and networks of mules, enabling rapid scaling of operations across multiple geographic locations to evade detection. Techniques like NFC relay systems provide operational anonymity, distancing attackers from the fraud and implicating intermediaries instead. These exploits result in significant financial losses for businesses and consumers while damaging the reputation of impacted institutions, eroding customer trust.
This attack vector represents an ongoing threat to multiple sectors, including retail and e-commerce and is almost certain to continue. Assessment Ends.
Alleged Cyberattack Disrupts UK Hospital Operations
An alleged cyberattack has forced the Wirral University Teaching Hospital NHS Trust to declare a "major incident," cancelling all outpatient appointments and disrupting critical services across Arrowe Park Hospital, Clatterbridge Hospital, and Wirral Women and Children's Hospital.
The Trust experienced a severe IT outage starting Monday, rendering key systems inaccessible and forcing staff to operate manually. Internal communications described "huge damage," with no access to patient records, test results, or scheduling systems leading to a decrease in operations across the trust.
Elemendar CTI Analyst comment: There has been no confirmation of the type of malware or the threat actor responsible for the recent incident at Wirral University Teaching Hospitals Trust. However, if it is confirmed as a cyberattack, it would join a series of significant breaches targeting the healthcare sector in 2024. Notable incidents include the Synnovis ransomware attack, which disrupted London’s pathology services for five months, leading to widespread appointment cancellations and critical blood shortages, and the INC Ransom attack on NHS Scotland, which exposed 3TB of sensitive data. The healthcare sector remains a prime target for cybercriminals. In 2022, global cyberattacks on healthcare organisations rose by 74%, making it the third most attacked industry globally and the second in the United States. The NHS has faced repeated cyber threats, including the infamous 2017 WannaCry ransomware attack, which disrupted healthcare services nationwide. Furthermore, a report by the Office of the Director of National Intelligence (DNI) highlighted a near doubling of ransomware attacks on healthcare globally in 2023, with 389 claimed victims compared to 214 in 2022. Comment Ends.
Elemendar Intelligence Assessment: Threat actors view the NHS and the wider healthcare sector as a lucrative target due to its reliance on interconnected IT systems, high-value data, and its critical public service role, making it highly vulnerable to disruption. Ransomware groups and state-sponsored actors often exploit these factors for financial gain, data theft, or geopolitical leverage. The reliance on digital tools for care delivery further exacerbates the impact of IT disruptions, directly jeopardising patient safety. Given the increasing number of reported attacks, this trend is almost certain not to change and as such, presents an ongoing threat. Assessment Ends.
Annex A: References
The Nearest Neighbor Attack: New Attack Vector for Russian APT
https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/
https://www.wired.com/story/russia-gru-apt28-wifi-daisy-chain-breach/
https://www.radware.com/cyberpedia/ddos-attacks/fancy-bear-apt28-threat-actor/#TheHistoryofFancyBear
Ghost Tap Attack Exploits NFC Mobile Payments for Financial Theft https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay
Alleged Cyberattack Disrupts UK Hospital Operations https://www.theregister.com/2024/11/26/third_major_cyber_incident_declared/
Annex B: STIX Entities
The Nearest Neighbor Attack: New Attack Vector for Russian APT
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1548 | Abuse Elevation Control Mechanism | Privilege Escalation | Exploiting Elevation Mechanisms | Misusing system control mechanisms (e.g., sudo, UAC) to escalate privileges. | Security logs: Unusual sudo commands or User Account Control (UAC) events. |
T1056 | Input Capture | Credential Access | Capturing Input | Captures user input, such as keystrokes, to steal credentials or sensitive information. | System logs: Keylogging tools or unauthorized input capture software. |
T1078 | Valid Accounts | Defence Evasion/Initial Access | Using Compromised Accounts | Leveraging valid accounts to evade detection or gain access to a target environment. | Authentication logs: Login attempts from unusual locations or compromised accounts. |
T1556 | Modify Authentication Process | Credential Access | Authentication Process Modification | Modifies authentication mechanisms to bypass normal credential checks. | Authentication logs: Unexpected changes to authentication settings. |
T1021.006 | Windows Remote Management | Lateral Movement | Remote Management Execution | Uses Windows Remote Management (WinRM) for lateral movement within a network. | Event logs: WinRM-related activity on endpoints where it is typically disabled. |
T1070.004 | File Deletion | Defence Evasion | Deleting Files to Remove Evidence | Deletes files to hide malicious activity and avoid forensic investigation. | File system logs: Unexpected deletion of critical files. |
T1600.001 | Reduce Key Space | Defence Evasion | Weakening Cryptographic Keys | Reduces the key space used in encryption to make it more susceptible to brute-force attacks. | Encryption logs: Use of weak or shortened cryptographic keys. |
T1590.005 | IP Addresses | Reconnaissance | Identifying IP Address Ranges | Collects information on IP ranges for potential targets. | Network logs: Queries to public IP registries or scanning activity. |
T1590.006 | Network Security Appliances | Reconnaissance | Identifying Security Devices | Identifies network security devices such as firewalls and intrusion detection/prevention systems. | Network logs: Access attempts to device management interfaces or reconnaissance scans. |
T1498 | Network Denial of Service | Impact | Disrupting Network Services | Conducts denial-of-service attacks to disrupt network availability. | Network traffic logs: High-volume traffic targeting specific services or ports. |
T1018 | Remote System Discovery | Discovery | Enumerating Remote Systems | Discovers remote systems and services on the network. | Network traffic logs: Scanning activity or unauthorized access attempts. |
T1110.001 | Password Guessing | Credential Access | Brute-Forcing Passwords | Attempts to gain access through repeated guessing of passwords. | Authentication logs: Multiple failed login attempts followed by a successful login. |
T1098 | Account Manipulation | Persistence | Creating or Modifying Accounts | Adds or alters accounts to maintain persistent access. | Account management logs: Unexpected account creation or changes to existing accounts. |
T1133 | External Remote Services | Initial Access | Using Remote Access Services | Exploits external remote services like VPNs or RDP for initial access. | VPN logs: Access attempts from unfamiliar IPs or unusual times. |
T1586.003 | Cloud Accounts | Resource Development | Using Cloud Accounts for Operations | Creates or compromises cloud accounts to facilitate malicious operations. | Cloud provider logs: Unusual cloud account activity or new account creation. |
T1556.001 | Domain Controller Authentication | Credential Access | Manipulating Domain Authentication | Forges Kerberos tickets or modifies domain controller authentication processes. | Domain logs: Kerberos ticket anomalies or failed domain authentication attempts. |
T1016.002 | Wi-Fi Discovery | Discovery | Scanning Wi-Fi Networks | Identifies Wi-Fi networks for further exploitation or reconnaissance. | Network logs: Unusual Wi-Fi probe requests or scans. |
T1043 | Commonly Used Port | Command and Control | Using Standard Ports for Communication | Hides malicious traffic by using ports commonly associated with legitimate services (e.g., HTTP). | Network logs: Suspicious traffic on ports 80, 443, or other common ports. |
T1070 | Indicator Removal | Defence Evasion | Removing Forensic Indicators | Deletes artifacts like logs and files to remove evidence of compromise. | Log management: Unexpected gaps or deletions in security logs. |
T1562 | Impair Defences | Defence Evasion | Disabling Security Tools | Disables or modifies security tools and configurations to evade detection. | Endpoint logs: Sudden deactivation of antivirus or other security software. |
Ghost Tap Attack Exploits NFC Mobile Payments for Financial Theft
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1587.001 | Malware | Resource Development | Development or Procurement of Malware | Adversaries create or acquire malware to execute malicious campaigns and operations. | Threat intelligence logs: Indicators of known malware variants or tools being downloaded or shared. |
T1562.011 | Spoof Security Alerting | Defense Evasion | Falsification of Security Alerts | Adversaries spoof or generate misleading security alerts to cause confusion or evade detection. | Security tool logs: Changes to alert configurations or unexpected custom alert messages. |
Probability Language
This document uses probability language based on assessment. Further information can be found in the image below:
Feedback
We welcome your feedback, this ensures we meet your needs.
Please contact our CTI Director at : CTI@elemendar.ai
Acknowledgements
Authored by Paul Montgomery, CTI Director Elemendar
Comments