In a recent cybersecurity advisory, Microsoft has shed light on an emerging threat cluster dubbed “Storm-2372” that has been linked to a series of cyber attacks orchestrated by Russian-backed hackers. The tech giant has warned that these attacks, which have been ongoing since August 2024, are targeting a diverse range of sectors, including government, non-governmental organizations (NGOs), information technology (IT) services, technology, defense, telecommunications, health, higher education, and energy/oil and gas.
The “Device Code Phishing” Technique
According to Microsoft’s analysis, the Storm-2372 group has been employing a sophisticated phishing technique known as “device code phishing” to gain unauthorized access to victims’ accounts. This technique exploits the multi-factor authentication (MFA) process by tricking users into approving a malicious login attempt, effectively bypassing the security layer provided by MFA.
The device code phishing attack typically begins with a phishing email or message that lures the victim into visiting a malicious website designed to mimic a legitimate login page. Once the victim enters their credentials, the site prompts them to enter a device code, which is a temporary code used to authenticate a new device or application.
However, unbeknownst to the victim, this device code is actually being used by the attackers to initiate a login attempt on the victim’s account from a device they control. If the victim approves the login request, thinking it’s a legitimate authentication prompt, the attackers gain full access to the account and its associated data.
Widespread Targeting and Advanced Capabilities
Microsoft’s report highlights the wide range of sectors targeted by Storm-2372, underscoring the group’s advanced capabilities and diverse interests. The tech giant has observed these attacks targeting various organizations worldwide, suggesting a well-resourced and persistent threat actor.
In addition to the device code phishing technique, the Storm-2372 group has demonstrated proficiency in deploying other malicious tools and tactics. These include the use of Anchor malware, which is designed to establish persistent access to compromised systems, as well as techniques for credential theft and lateral movement within compromised networks.
Microsoft’s detailed report provides a comprehensive analysis of the group’s operations, indicators of compromise, and recommended mitigation strategies for organizations to protect themselves against these sophisticated attacks.
Defending Against Device Code Phishing Attacks
To mitigate the risks posed by device code phishing attacks, Microsoft and other cybersecurity experts recommend implementing strong security measures and raising awareness among employees. Some key recommendations include:
- Implementing robust multi-factor authentication (MFA) solutions that rely on secure methods like hardware tokens or biometric authentication, rather than solely relying on device codes.
- Conducting regular security awareness training for employees to recognize and report suspicious phishing attempts.
- Deploying advanced threat protection solutions that can detect and block malicious websites and phishing attacks.
- Keeping software and systems up-to-date with the latest security patches and updates.
- Enforcing strong password policies and encouraging the use of password managers to minimize the risk of credential theft.
By staying vigilant and implementing comprehensive security measures, organizations can better protect themselves against the evolving tactics employed by threat actors like Storm-2372.
Original Source: https://thehackernews.com/2025/02/microsoft-russian-linked-hackers-using.html
