- North Korean Kimsuky Group Uses QR Code Phishing to Steal Credentials
- Attacks bypass MFA via session token theft, exploiting unmanaged mobile devices outside of EDR protections.
- FBI recommends multi-layered defense: employee training, QR reporting protocols and mobile device management
The North Koreans are targeting U.S. government institutions, think tanks and academia with highly sophisticated QR code phishing attacks, or “quishing” attacks, targeting their Microsoft 365, Okta or VPN credentials.
This is according to the Federal Bureau of Investigation (FBI), which recently published a new Flash report, warning national and international partners against the ongoing campaign.
In the report, it is stated that a malicious actor known as Kimsuky sends convincing lures via email, containing images with QR codes. Because images are harder to analyze and deemed malicious, emails are more easily able to bypass protections and land in users’ inboxes.
Stealing session tokens and login credentials
The FBI also said that corporate computers are generally well protected, but that QR codes are more easily scanned with mobile phones – unmanaged devices outside the normal limits of endpoint detection and response (EDR) and network inspection. It also makes attacks more likely to succeed.
When the victim scans the code, it is sent through multiple redirectors that collect different information and identity attributes, such as user agent, operating system, IP address, locale, and screen size. This data is then used to direct the victim to a personalized credentials collection page, masquerading as Microsoft 365, Okta, or VPN portals.
If the victim does not spot the trick and attempts to log in, the credentials will end up in the hands of the attackers. Additionally, these attacks often end with session token theft and replay, allowing malicious actors to bypass multi-factor authentication (MFA) and hijack cloud accounts without triggering the usual “MFA failed” alert.
“Adversaries then establish persistence in the organization and propagate secondary spearphishing from the compromised mailbox,” the FBI added. “Since the compromise path comes from unmanaged mobile devices outside the normal boundaries of endpoint detection and response (EDR) and network inspection, rollback is now considered a high-trust, MFA-resilient identity intrusion vector in enterprise environments. »
To defend against advanced Kimsuky attacks, the FBI recommends a “layered” security strategy, which includes training employees, establishing clear protocols for reporting suspicious QR codes, deploying mobile device management (MDM) capable of scanning URLs linked to QRs, and much more.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
