- North Korean group Kimsuky uses phishing with QR codes to steal credentials
- Attacks bypass MFA by stealing session tokens, exploiting unmanaged mobile devices outside EDR protections
- FBI Urges Multi-Level Defense: Employee Training, QR Reporting Protocols and Mobile Device Management
The North Koreans are targeting US government institutions, think tanks and academics with highly sophisticated QR code phishing or “quishing” attacks, seeking their Microsoft 365, Okta or VPN credentials.
This is according to the Federal Bureau of Investigation (FBI), which recently released a new Flash report, warning its domestic and international partners about the ongoing campaign.
In the report, a threat actor known as Kimsuky is said to be sending attractive, compelling emails containing images with QR codes. Because images are harder to scan and considered malicious, emails more easily bypass protections and land in people’s inboxes.
Steal session tokens and login credentials
The FBI also said that corporate computers are generally well protected, but QR codes are more easily scanned by mobile phones – unmanaged devices outside the normal limits of endpoint detection and response (EDR) and network inspection. This also makes attacks more likely to succeed.
When the victim scans the code, it is sent through multiple redirectors that collect different information and identity attributes, such as user agent, operating system, IP address, locale, and screen size. This data is then used to take the victim to a customized credential harvesting page, posing as Microsoft 365, Okta, or VPN portals.
If the victim does not detect the hack and attempts to log in, the credentials would end up in the hands of the attackers. What’s more, these attacks often end with the theft and replay of session tokens, allowing threat actors to bypass multi-factor authentication (MFA) and hijack cloud accounts without triggering the usual “MFA failure” alert.
“Adversaries then establish persistence in the organization and propagate secondary phishing from the compromised mailbox,” the FBI further stated. “Because the path of compromise originates from unmanaged mobile devices outside the normal limits of endpoint detection and response (EDR) and network inspection, quishing is now considered a high-trust, MFA-resistant identity intrusion vector in enterprise environments.”
To defend against advanced Kimsuky quishing attacks, the FBI recommends a “multi-layered” security strategy, including employee education, establishing clear protocols for reporting suspicious QR codes, implementing mobile device management (MDM) capable of analyzing QR-linked URLs, and more.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
