- North Korean group Kimsuky is using QR code phishing to steal credentials
- Attacks bypass MFA via session token theft, exploiting unmanaged mobile devices outside EDR protections
- FBI urges multi-layered defense: employee training, QR reporting protocols, and mobile device management
North Korean hackers are targeting U.S. government entities, think tanks, and academic institutions with sophisticated QR code phishing attacks, also known as 'quishing', aimed at stealing Microsoft 365, Okta, or VPN credentials.
This alarming information comes from a recent Flash report by the Federal Bureau of Investigation (FBI), which has alerted both domestic and international partners about the ongoing threat.
The report identifies a threat actor named Kimsuky, who is sending convincing phishing emails that include images of QR codes. These images are less likely to be flagged as malicious, allowing the emails to bypass security measures and reach users' inboxes.
Stealing Session Tokens and Login Credentials
The FBI notes that while corporate computers are generally well-protected, QR codes are most easily scanned using mobile devices—often unmanaged and outside the usual Endpoint Detection and Response (EDR) and network inspection safeguards. This vulnerability increases the likelihood of successful attacks.
When a victim scans the QR code, they are redirected through multiple sites that gather various information and identity attributes, such as user-agent, operating system, IP address, locale, and screen size. This data is then used to direct the victim to a custom credential-harvesting page that mimics Microsoft 365, Okta, or VPN portals.
If the victim fails to recognize the deception and attempts to log in, their credentials are captured by the attackers. Moreover, these attacks frequently result in session token theft and replay, enabling the threat actors to bypass multi-factor authentication (MFA) and hijack cloud accounts without triggering the usual “MFA failed” alerts.
“Adversaries then establish persistence in the organization and propagate secondary spear phishing from the compromised mailbox,” the FBI stated. “Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.”
To combat Kimsuky’s advanced quishing attacks, the FBI recommends a multi-layered security approach that includes employee training, clear protocols for reporting suspicious QR codes, and deploying mobile device management (MDM) systems capable of analyzing QR-linked URLs.
Via The Hacker News
