Cybersecurity researchers at SOCRadar warned earlier this month that the Russian-backed Storm-2372 threat actor has been “exploiting device code phishing to bypass Multi-Factor Authentication (MFA) and infiltrate high-value targets. The group, which is believed to have ties to Moscow, has in its crosshairs government, defense, healthcare, and financial institutions in the United States, the UK, the Middle East, and Asia.
The researchers warned that the group may employ highly targeted tactics, which represent a serious escalation in the use of social engineering to defeat even advanced security systems.
“The campaign underlines the critical need for modern organizations to embrace adaptive, context-aware defense mechanisms to counter identity-based threats that are increasingly evading conventional protections,” the researchers wrote in a blog post.
This is just the latest escalation from the group. In February, the Microsoft Threat Intelligence Center also announced that it had discovered an active and successful device code phishing campaign launched by Storm-2372 as early as last August.
Device Code Phishing Explained
According to the Microsoft team, device code phishing involves a threat actor exploiting a device’s code authentication flow to “capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors.”
It creates a digital “lure” that is sent out by messaging apps, including those on WhatsApp, Signal, and Microsoft Teams. It is targeting government and non-governmental organizations (NGOs) alike.
Essentially, a phishing message is sent, and it is received on a target’s device. That individual is then guided to a legitimate login page, but when the user enters the attacker-generated device code, the attacker can gain access without detection.
“Device code phishing isn’t new, but it is disturbingly easy to phish and compromise,” explained Roger Grimes, data-driven defense evangelist at KnowBe4.
Grimes told ClearanceJobs that the U.S. government has been warning since 2016 in the NIST Special Publication 800-63, the Digital Identity Guidelines, not to use authentication methods that involve sending a one-time code (OTP), as they have proven too easy to trick users out of.
“What makes this even worse is that most victims are already using MFA to protect themselves, but that MFA is usually an OTP as well,” warned Grimes. “So, the authentication relies on the potential victim being tricked into handing over two OTPs to the hacker. And it’s very, very easy to do.”
Instead of asking a user for the password, they’re asked for the OTP code, or even two OTP codes. Once the unsuspecting user inputs the code and grants access, the attacker gains illegal access to the victim’s corporate account, SOCRadar also noted.
Better Authentication Required
The issue may be made worse by the fact that too often OTP and MFA is as easy to phish as the password it is replacing.
“If you’re going to use, offer, or require supposedly ‘stronger authentication,’ it should be phishing-resistant, like FIDO-enabled Yubikeys or FIDO passkeys,” added Grimes. “Otherwise, you’re wasting everyone’s time and offering a fake sense of increased security that is not there. And really, that likely makes that user even more at risk of a successful attack.”
Moreover, Grimes suggested that OTP and MFA may create a false sense of security with some users and organizations.
“If I think I’m vulnerable and hackable, I’m probably going to be safer with my behavior. But if you tell me that I’m specially protected because I’m using these new, ‘higher security’ things—well then, maybe I start believing the vendor’s claims and start acting a little more bulletproof when there’s Kryptonite all around me that can take me down,” Grimes continued.
What Has Been Gathered About Storm-2372?
Details about Storm-2372 are spare, apart from researchers believing the group is a nation-state actor that is aligned with Russian interests. It is suspected of engaging in device code phishing. The threat actor’s activities have been observed in overlapping with other groups employing similar techniques, yet it appears to be distinct in its operations.
Cybersecurity researchers have warned for years that Moscow supports a range of hacking activities, while patriotic hackers and criminal groups also align with the state on an ad-hoc basis, and operate without active state backing.
