While stalking its goal, GruesomeLarch performed credential-stuffing attacks that compromised the passwords of several accounts on an internet service platform utilized by the organization’s employees. Two-factor authentication enforced on the platform, nonetheless, prevented the attackers from compromising the accounts.
So GruesomeLarch found devices in physically adjoining locations, compromised them, and used them to probe the goal’s Wi-Fi network. It turned out credentials for the compromised web services accounts also worked for accounts on the Wi-Fi network, only no 2FA was required.
Adding further flourish, the attackers hacked considered one of the neighboring Wi-Fi-enabled devices by exploiting what in early 2022 was a zero-day vulnerability within the Microsoft Windows Print Spooler.
The 2022 hack demonstrates how a single faulty assumption can undo an otherwise effective defense. For whatever reason—likely an assumption that 2FA on the Wi-Fi network was unnecessary because attacks required close proximity—the goal deployed 2FA on the Web-connecting web services platform (Adair isn’t saying what type) but not on the Wi-Fi network. That one oversight ultimately torpedoed a strong security practice.
Advanced persistent threat groups like GruesomeLarch—a component of the much larger GRU APT with names including Fancy Bear, APT28, Forrest Blizzard, and Sofacy—excel find and exploiting these types of oversights.
Volixity’s post describing the 2022 attack provides loads of technical details in regards to the compromise on the numerous links on this sophisticated daisy chain attack flow. There’s also useful advice for safeguarding networks against these types of compromises.