- North Korean group Kimsuky is using QR code phishing to steal credentials
- Attacks bypass MFA via session token theft, exploiting unmanaged mobile devices outside EDR protections
- FBI urges multi-layered defense: employee training, QR reporting protocols, and mobile device management
North Koreans are targeting US government institutions, think tanks, and academia with highly sophisticated QR code phishing, or ‘quishing’ attacks, going for their Microsoft 365, Okta, or VPN credentials.
This is according to the Federal Bureau of Investigation (FBI) which recently published a new Flash report, warning both domestic and international partners about the ongoing campaign.
In the report, it said that a threat actor known as Kimsuky is sending out convincing email lures, containing images with QR codes. Since the images are more difficult to scan and deem malicious, the emails bypass protections more easily and land in people’s inboxes.
Stealing session tokens and login credentials
The FBI also said that corporate computers are generally well protected, but QR codes are most easily scanned with mobile phones – unmanaged devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries. This too makes the attacks more likely to succeed.
When the victim scans the code, they are sent through multiple redirectors that collect different information and identity attributes, such as user-agent, operating system, IP address, locale, and screen size. This data is then used to land the victim on a custom-built credential-harvesting page, impersonating Microsoft 365, Okta, or VPN portals.
If the victim does not spot the trick and tries to log in, the credentials would end up with the attackers. What’s more – these attacks often end with session token theft and replay, allowing the threat actors to bypass multi-factor authentication (MFA) and hijack cloud accounts without triggering the usual “MFA failed” alert.
“Adversaries then establish persistence in the organization and propagate secondary spearphishing from the compromised mailbox,” the FBI further stated. “Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.”
To defend against Kimsuky’s advanced quishing attacks, the FBI recommends a “multi-layered” security strategy, which includes employee education, setting up clear protocols for reporting suspicious QR codes, deploying mobile device management (MDM) capable of analyzing QR linked URLs, and more.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
