65/68 Tuesday, February 18, 2025
Security researchers from Microsoft have warned that the cyber threat group known as Storm-2372, which has ties to Russia, has been using a “Device Code Phishing” technique to steal authentication tokens from government agencies, non-governmental organizations (NGOs), and various industries since August 2024.
This technique deceives users into logging into productivity applications such as WhatsApp, Signal, and Microsoft Teams, allowing attackers to steal authentication tokens and take control of compromised accounts. Storm-2372 has targeted multiple regions, including Europe, North America, Africa, and the Middle East, with a focus on technology, defense, telecommunications, healthcare, higher education, and energy/oil & gas sectors.
The report highlights that Device Code Phishing exploits weaknesses in authentication processes to steal tokens, enabling attackers to maintain continuous access to accounts and data as long as the token remains valid. Researchers discovered phishing messages disguised as Microsoft Teams meeting invitations. When users clicked the link and authenticated using a device code generated by the attackers, the hackers obtained valid access tokens, allowing them to hijack active login sessions. Furthermore, these tokens could be used to access other services the user had permissions for, such as email or cloud platforms, without requiring a password.
Following Microsoft’s report, Storm-2372 shifted its strategy by using a unique Client ID for the Microsoft Authentication Broker during Device Code Sign-in attempts, attempting to conceal their activities. The threat group registered devices in Entra ID to request Primary Refresh Tokens, granting them access to various resources, including email harvesting.
To mitigate these attacks, Microsoft advises organizations to disable the Device Code Flow if unnecessary, enforce Multi-Factor Authentication (MFA), and adopt the Principle of Least Privilege to reduce cybersecurity risks in the future.
Source https://securityaffairs.com/174270/apt/storm-2372-used-device-code-phishing-technique.html
