Whereas stalking its goal, GruesomeLarch carried out credential-stuffing assaults that compromised the passwords of a number of accounts on an online service platform utilized by the group’s workers. Two-factor authentication enforced on the platform, nonetheless, prevented the attackers from compromising the accounts.
So GruesomeLarch discovered gadgets in bodily adjoining places, compromised them, and used them to probe the goal’s Wi-Fi community. It turned out credentials for the compromised internet providers accounts additionally labored for accounts on the Wi-Fi community, solely no 2FA was required.
Including additional flourish, the attackers hacked one of many neighboring Wi-Fi-enabled gadgets by exploiting what in early 2022 was a zero-day vulnerability within the Microsoft Home windows Print Spooler.
The 2022 hack demonstrates how a single defective assumption can undo an in any other case efficient protection. For no matter motive—seemingly an assumption that 2FA on the Wi-Fi community was pointless as a result of assaults required shut proximity—the goal deployed 2FA on the Web-connecting internet providers platform (Adair isn’t saying what sort) however not on the Wi-Fi community. That one oversight in the end torpedoed a strong safety apply.
Superior persistent menace teams like GruesomeLarch—part of the a lot bigger GRU APT with names together with Fancy Bear, APT28, Forrest Blizzard, and Sofacy—excel to find and exploiting these types of oversights.
Volexity’s publish describing the 2022 assault offers loads of technical particulars concerning the compromise on the numerous hyperlinks on this refined daisy chain assault circulate. There’s additionally helpful recommendation for shielding networks towards these types of compromises.
