Microsoft draws attention to the new cluster threat that it causes Storm-2372 This was due to the new set of cyber -offices aimed at different sectors since August 2024.
The attacks are aimed at government, non -governmental organizations (NGOs), services and technology of information technology (IT), protection, telecommunications, health, higher education and energy/oil and gas to the east.
The actor threats that with average confidence is evaluated to be coordinated with Russian interests, Viktina and trading means, targeting users using messages such as WhatsApp, Signal and Microsoft, falsely saying that is a well -known person who is relevant to the goal for trying to build trust.
“The attacks use a specific phishing technique called” Phishing A Device Cod “, which cheats users login in performance apps, while actors Storm-2372 record information from the entrance (tokens) that they can use to access the compromised Accounts “, Microsoft Intelligence threats – Note In a new report.
The goal is to use authentication codes obtained by accessing target accounts, and abuse that access to obtain sensitive data and ensure constant access to the victim’s environment while the tokens remain valid.
The technical giant said the attack provides for sending phishing sheets that are masked as Microsoft commands, which meet with invitations that call on the recipients of messages to receive authentication using the device code, generated actor, which allows the enemy to steal the authentic session using the true access .
“During the attack, the actor threats creates a legitimate request for the device code and is deceiving the purpose of introducing it into the legitimate entry page,” Microsoft explained. “This gives the actor access and allows them to seize authentication – access and update – generated, and then use these tokens to access accounts and Target data.”
Authentication checks can be used to access other services that the user already has permits such as email or cloud storage without the need for password.
Microsoft said the valid session is used to move aside to the network, sending similar intra -organization messages to other users from a broken account. In addition, the Microsoft Graph service is used to search for disturbed account.
“The actor threats used keyword search to view messages containing words such as username, password, administrator, TeamViewer, Anydesk, Account, Secret, Service and Government,” said Redmond, adding emails that meet these criteria The filter was studied in the actor threats.
To mitigate the risk that such attacks are recommended by the organization Block stream of the device code Where it is possible, turn on the phishing-resistant to multiform authentication (Foreign Ministry) and follow the principle of the slightest privilege.
