- North Korea’s Kimsuky Group uses QR code phishing to steal credentials
- The attacks bypass MFA by stealing session tokens and exploiting unmanaged mobile devices outside of EDR protection.
- FBI Recommends Layered Defense: Employee Training, QR Reporting Protocols, and Mobile Device Management
The North Koreans are targeting U.S. government institutions, think tanks, and universities with sophisticated QR code phishing attacks, or “quishing,” attacks targeting their Microsoft 365, Okta, or VPN credentials.
This is according to the Federal Bureau of Investigation (FBI), which recently released a new flash report warning domestic and international partners about the ongoing campaign.
The report claims that a malicious actor named Kimsuky is sending compelling emails containing images with QR codes. Because images are harder to analyze and classify as malicious, emails can more easily bypass protection and end up in users’ inboxes.
Theft of session tokens and credentials.
The FBI also said that corporate computers were generally well protected, but that QR codes could be more easily scanned using cell phones – unmanaged devices outside the normal limits of endpoint detection and response (EDR) and network inspection. It also increases the probability of attacks being successful.
When the victim scans the code, it is sent through multiple redirectors that collect different information and identity attributes, such as: user agent, operating system, IP address, locale, and screen size. This data is then used to direct the victim to a custom credential harvesting page posing as Microsoft 365, Okta, or VPN portals.
If the victim does not recognize the trick and attempts to log in, the credentials fall into the hands of the attackers. Furthermore, these attacks often end in the theft and replay of session tokens, allowing malicious actors to bypass multi-factor authentication (MFA) and hijack cloud accounts without triggering the usual “MFA failure” warning.
“The attackers then establish persistence within the organization and spread secondary phishing from the compromised mailbox,” the FBI added. “Because the compromise path originates from unmanaged mobile devices outside the normal limits of endpoint detection and response (EDR) and network inspection, rollback is now considered a highly trusted and MFA-resistant identity attack vector in enterprise environments.”
To combat advanced Kimsuky attacks, the FBI recommends a “layered” security strategy that includes training employees, establishing clear protocols for reporting suspicious QR codes, using mobile device management (MDM) to scan URLs associated with QRs, and more.
On Hacker News
