- The North Korean group Kimsuky uses QR code phishing to steal credentials
- Attacks bypass MFA via session token theft and exploit unmanaged mobile devices outside of EDR protection
- The FBI calls for multi-layered defenses: employee training, QR reporting protocols and mobile device management
North Koreans are targeting US government institutions, think tanks and academia with highly sophisticated QR code phishing or ‘quishing’ attacks that go after their Microsoft 365, Okta or VPN credentials.
This is according to the Federal Bureau of Investigation (FBI), which recently released a new Flash report warning both domestic and international partners about the ongoing campaign.
In the report, it said that a threat actor known as Kimsuky sends out convincing email lures that contain images with QR codes. Since the images are harder to scan and considered malicious, emails bypass protection more easily and end up in people’s inboxes.
Steals session tokens and login information
The FBI also said that corporate computers are generally well protected, but QR codes are most easily scanned with mobile phones — unmanaged devices outside of normal Endpoint Detection and Response (EDR) and network inspection boundaries. This also makes the attacks more likely to succeed.
When the victim scans the code, they are sent through several redirectors that collect various information and identity attributes, such as user agent, operating system, IP address, location, and screen size. This data is then used to land the victim on a custom-built credential collection page that mimics Microsoft 365, Okta, or VPN portals.
If the victim does not discover the trick and tries to log in, the credentials would end up with the attackers. What’s more – these attacks often end in session token theft and replay, allowing the threat actors to bypass multi-factor authentication (MFA) and hijack cloud accounts without triggering the usual “MFA failed” alert.
“Adversaries then establish persistence within the organization and propagate secondary spearphishing from the compromised mailbox,” the FBI further stated. “Because the compromise path originates from unmanaged mobile devices outside of normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is now considered a high-security, MFA-resilient identity intrusion vector in enterprise environments.”
To defend against Kimsuky’s advanced quishing attacks, the FBI recommends a “multi-layered” security strategy that includes employee training, setting up clear protocols for reporting suspicious QR codes, implementing mobile device management (MDM) capable of analyzing QR-linked URLs, and more.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
