Whereas stalking its goal, GruesomeLarch carried out credential-stuffing assaults that compromised the passwords of a number of accounts on an online service platform utilized by the group’s staff. Two-factor authentication enforced on the platform, nonetheless, prevented the attackers from compromising the accounts.
So GruesomeLarch discovered gadgets in bodily adjoining places, compromised them, and used them to probe the goal’s Wi-Fi community. It turned out credentials for the compromised internet providers accounts additionally labored for accounts on the Wi-Fi community, solely no 2FA was required.
Including additional flourish, the attackers hacked one of many neighboring Wi-Fi-enabled gadgets by exploiting what in early 2022 was a zero-day vulnerability within the Microsoft Home windows Print Spooler.
The 2022 hack demonstrates how a single defective assumption can undo an in any other case efficient protection. For no matter motive—probably an assumption that 2FA on the Wi-Fi community was pointless as a result of assaults required shut proximity—the goal deployed 2FA on the Web-connecting internet providers platform (Adair isn’t saying what sort) however not on the Wi-Fi community. That one oversight in the end torpedoed a strong safety apply.
Superior persistent risk teams like GruesomeLarch—part of the a lot bigger GRU APT with names together with Fancy Bear, APT28, Forrest Blizzard, and Sofacy—excel to find and exploiting these types of oversights.
Volexity’s post describing the 2022 assault gives loads of technical particulars in regards to the compromise on the numerous hyperlinks on this subtle daisy-chain assault movement. There’s additionally helpful recommendation for safeguarding networks in opposition to these types of compromises.
