Ethical Hacking News
Microsoft has issued a warning about an emerging threat cluster known as Storm-2372, which is attributed to a new set of cyber attacks aimed at various sectors across Europe, North America, Africa, and the Middle East. The attacks have been linked to Russian interests and use a specific phishing technique called 'device code phishing' that tricks users into logging into productivity apps while capturing information from log-in tokens.
Microsoft warns of a new threat cluster called Storm-2372, linked to Russian interests. The attackers use device code phishing to trick users into logging into productivity apps and capture authentication tokens. The captured data can be used to access target accounts and sensitive data, enabling persistent access as long as the tokens remain valid. Phishing emails masquerade as Microsoft Teams meeting invitations, prompting recipients to authenticate using a threat actor-generated device code. Organizations are advised to block device code flow, enable phishing-resistant MFA, and follow least privilege principles.
Microsoft has issued a warning about an emerging threat cluster known as Storm-2372, which is attributed to a new set of cyber attacks aimed at various sectors across Europe, North America, Africa, and the Middle East. The attacks have been linked to Russian interests and have been observed targeting users via messaging apps such as WhatsApp, Signal, and Microsoft Teams.
The attackers use a specific phishing technique called 'device code phishing' that tricks users into logging into productivity apps while capturing information from log-in tokens. This captured data can then be used to access target accounts and sensitive data, enabling persistent access to the victim environment as long as the tokens remain valid.
According to Microsoft, the attack involves sending phishing emails that masquerade as Microsoft Teams meeting invitations, which when clicked, urge the message recipients to authenticate using a threat actor-generated device code. This grants the actor access and enables them to capture the authentication-access and refresh tokens that are generated, and then use those tokens to access the target's accounts and data.
The phished authentication tokens can then be used to gain access to other services that the user already has permissions to, such as email or cloud storage, without the need for a password. Furthermore, the threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov, which were then exfiltrated to the threat actor.
To mitigate the risk posed by such attacks, organizations are recommended to block device code flow wherever possible, enable phishing-resistant multi-factor authentication (MFA), and follow the principle of least privilege. Microsoft has also advised users to be cautious when receiving unsolicited messages or invitations that require authentication, as they may be attempts to hijack accounts.
The use of 'device code phishing' is a relatively new technique that relies on tricking users into logging in to productivity apps using a legitimate-appearing device code request. This allows the attacker to capture the user's authentication tokens and gain access to their accounts. The attackers are also able to move laterally within the network by sending similar phishing intra-organizational messages to other users from the compromised account.
The threat actor has been observed targeting various sectors, including government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas. The attacks have also been linked to a threat cluster attributed to Storm-2372, which is assessed with medium confidence to be aligned with Russian interests, victimology, and tradecraft.
In light of this emerging threat, organizations and individuals must take proactive measures to protect themselves against such attacks. By understanding the tactics and techniques used by attackers, we can better prepare ourselves to defend against these types of phishing campaigns. It is also essential for organizations to implement robust security measures, including multi-factor authentication, secure communication protocols, and regular software updates.
The rise of 'device code phishing' is a worrying trend that highlights the evolving nature of cyber threats. As attackers continue to adapt and refine their techniques, it is crucial for cybersecurity professionals and individuals alike to stay vigilant and proactive in defending against these types of attacks.
Related Information:
https://thehackernews.com/2025/02/microsoft-russian-linked-hackers-using.html
https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
Published: Fri Feb 14 06:53:41 2025 by llama3.2 3B Q4_K_M
