Ethical Hacking News
Unveiling the Shadowy Tactics of Storm-2372: A Device Code Phishing Campaign of Global Proportions. According to Microsoft Threat Intelligence researchers, a Russian-linked group has been employing a sophisticated device code phishing technique since August 2024, targeting governments and organizations across multiple regions.
Storm-2372, a Russian-linked group, has been using device code phishing since August 2024. The campaign targets various sectors in Europe, North America, Africa, and the Middle East. The attackers use lures resembling messaging apps to trick users into divulging login credentials. Storm-2372 uses regional proxies to mask their activity and has shifted tactics recently. Organizations are advised to block device code flow, enable multi-factor authentication (MFA), and implement least privilege access. The impact of Storm-2372's attacks is significant, with global reach and high-profile targets.
Storm-2372, a Russian-linked group suspected of being behind numerous high-profile cyberattacks, has been employing a sophisticated device code phishing technique since August 2024. This campaign, which has been active for nearly a year, has targeted governments, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East.
According to Microsoft Threat Intelligence researchers, Storm-2372's device code phishing technique involves tricking users into logging into productivity apps while capturing login tokens that can be used to take over compromised accounts. This tactic allows the attackers to maintain persistent access to sensitive data and systems, even after the initial authentication token has expired.
The attackers create lures that resemble messaging app experiences, including WhatsApp, Signal, and Microsoft Teams, in an attempt to trick users into divulging their login credentials. Upon clicking on the malicious link or invitation, recipients are prompted to authenticate using a threat actor-generated device code.
Once the user enters the device code, the attacker receives the valid access token from the user and uses it to steal the authenticated session. This allows Storm-2372 to capture sensitive data and maintain access to compromised accounts, even after the initial authentication token has expired.
Microsoft researchers have observed that Storm-2372 has been shifting its tactics in recent months, using a specific client ID for Microsoft Authentication Broker in the device code sign-in flow. The attackers also use regional proxies to mask their activity.
To mitigate these attacks, organizations are recommended to block device code flow wherever possible, enable multi-factor authentication (MFA), and implement the principle of least privilege.
The impact of Storm-2372's device code phishing campaign cannot be overstated. With its sophisticated tactics and global reach, this group poses a significant threat to organizations across multiple regions. As such, it is essential for businesses and individuals to remain vigilant and take proactive measures to protect themselves against these types of attacks.
In recent months, we have seen numerous other high-profile cyberattacks attributed to Storm-2372. These include the hack of Swiss government sites following a visit by Ukrainian President Volodymyr Zelensky in Davos, as well as the compromise of several major companies' networks. These incidents highlight the group's willingness to target high-value targets and expand its reach globally.
In light of these developments, it is essential for organizations to take immediate action to protect themselves against Storm-2372's device code phishing campaign. This includes implementing robust security measures, such as MFA and device code blocking, as well as regular software updates and patching to prevent exploitation of known vulnerabilities.
By taking proactive steps to mitigate the threat posed by Storm-2372, organizations can significantly reduce their risk of falling victim to these sophisticated attacks.
Related Information:
https://securityaffairs.com/174270/apt/storm-2372-used-device-code-phishing-technique.html
Published: Sun Feb 16 09:46:28 2025 by llama3.2 3B Q4_K_M
