Storm-2372, a Russian state-backed APT group, utilizes device code phishing to circumvent Multi-Factor Authentication (MFA), targeting sectors including government, technology, finance, defense, and healthcare.
Recent research by cybersecurity analysts at SOCRadar has uncovered an evolving tactic employed by the notorious Russian advanced persistent threat group, Storm-2372. This group has demonstrated the ability to compromise online accounts of significant organizations without resorting to password guessing, which marks a notable shift in their approach.
The method in question, known as “device code phishing,” provides a means to bypass robust security measures such as Multi-Factor Authentication (MFA). This attack leverages the common practice of device authorization, particularly with devices like smart TVs that prompt users to enter a unique code on a web portal to authenticate access. Malicious actors exploit this flow to manipulate users into granting account access.
Mechanism of the Attack
Attackers often initiate the scheme by sending deceptive messages via email or text, instructing recipients to log in using a device code. Victims are led to counterfeit login pages closely resembling legitimate sites, such as those belonging to Microsoft. Unwittingly, users enter codes generated by the attackers. Once the code is submitted, hackers gain entry to the accounts without needing the standard password or triggering typical security alerts, thus enabling them to conduct their activities unnoticed until it is too late.
Historically, a simpler iteration of device code phishing utilized static codes that typically expired within 15 minutes, presenting challenges for hackers when users failed to see the notifications promptly. However, Storm-2372 has enhanced its technique through the implementation of dynamic device code phishing, a concept previously highlighted by Black Hills in 2023. This advanced method allows attackers to create phony websites mimicking authentic login pages, utilizing platforms like Azure Web Apps to generate new device codes for each visit. Additionally, tools such as CORS-Anywhere are sometimes utilized to ensure accurate code display in the users’ browsers, facilitating easier access for the attackers.
The ramifications are significant, as Storm-2372 focuses its efforts on organizations that possess valuable data or influence decision-making processes. Targets have included a wide array of institutions, spanning government entities, technology firms, financial institutions, defense contractors, healthcare organizations, and media companies, particularly in regions such as the United States, Ukraine, the United Kingdom, Germany, Canada, and Australia.
This evolving methodology reinforces an urgent need for businesses to enhance their security protocols. Adaptive and context-aware defense mechanisms are crucial to counteract identity-based threats that increasingly elude traditional protective measures. As the landscape of cybersecurity continues to shift, organizations must remain vigilant and proactive in safeguarding their digital assets against such sophisticated tactics.
In terms of the MITRE ATT&CK framework, the tactics likely employed in this attack encompass initial access via phishing, exploitation of user execution, and possible techniques related to credential dumping and access token theft. This underscores the necessity for robust cybersecurity defenses capable of mitigating these emerging threats.
