A suspected Russian-linked threat group named Storm-2372 have been conducting a device code phishing campaign. So far Storm-2372 has targeted IT services, Government, higher education, defence and energy sectors across Africa, the middle east, north America and Europe.
Most users appear to have been targeted from apps like Signal, Microsoft Teams and WhatsApp. The threat actor claims to be a relevant person to the victim, in an attempt to establish trust. The phishing emails are disguised as Microsoft Teams invitations which encourage the recipient to authenticate using a threat actor-generated device code, which allows the attacker to hijack the authenticated session using the valid access token.
The attacker generates a genuine device code request, and the user enters it into the legitimate sign in page. This gives access to the attacker who is then able to capture the authentication, generating access and refresh tokens, which the attacker can use to ensure account access. These authentication tokens can be used by the attacker to gain access to other services that the user already has permissions to as well, such as email or cloud storage, without the need for a password.
The valid session is then used to move laterally within the network by sending similar phishing messages to other users from the compromised account. It has also been observed that Storm-2372 are now using the specific Client IDs associated with the Microsoft authentication broker in the device sign-in flow. The ID is used by the attacker to register a device in Entra ID and used to obtain a primary refresh token, collect emails and access their resources.
References:
Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts (cyberscoop.com)
Storm-2372 used the device code phishing technique since August 2024 (securityaffairs.com)
Microsoft: Russian-Linked Hackers Using ‘Device Code Phishing’ to Hijack Accounts (thehackernews.com)
Salt Typhoon, a Chinese advanced persistent threat has been observed targeting more than 1000 Cisco devices within the infrastructures of Internet Service Providers (ISPs), Telecommunications companies & Universities.
Salt Typhoon (aka RedMike, Earth Estries, Famous Sparrow, GhostEmperor and UNC2286) first burst onto the scene last Autumn targeting major US telecommunications like AT&T, Verizon and T-Mobile. During this time, they were even able to eavesdrop on US law enforcement wiretaps and presidential campaigns.
This time they are exploiting the vulnerability tracked as CVE-2023-20198; A critical vulnerability found within Cisco IOS XE software. This vulnerability was given a CVSS score of 10, the highest possible score for a vulnerability. This vulnerability can be exploited to allow an unauthorised attacker to create new local accounts with administrative privileges on the affected system. This would then allow the attacker to use said accounts to perform whatever activity they want, because they would have admin privileges.
However, this is not the only vulnerability that was exploited. Salt Typhoon also exploited the vulnerability CVE-2023-20273, which takes the first vulnerability one step further by allowing the attackers to run malicious commands with root privileges on the affected devices. This vulnerability was classified as “high” risk, with a CVSS score of 7.2.
Using both vulnerabilities in tandem with each other, Salt Typhoon were able to then configure Generic Routing Encapsulation (GRE) tunnels which connected vulnerable devices within the target infrastructure. While this feature is legitimate, it’s usage allowed the threat actors to establish persistence in the environment and allowed for data exfiltration with a lessened risk of detection by firewalls or network monitors.
Thankfully, Cisco has already patched these vulnerabilities in subsequent software versions and these patches are readily available for installation.
References:
Salt Typhoon Exploits Cisco Devices in Telco Infrastructure (darkreading.com)
CVE-2023-20198 (tenable.com)
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature (cisco.com)
In a concerning development, the cyber security landscape has been rattled by active exploitations of CVE-2024-12356, a command injection vulnerability embedded within BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) software. This suite, integral to IT operations across various sectors, facilitates secure and compliant access to critical IT assets. The widespread use of this software by IT administrators, third-party vendors, developers, and CloudOps engineers underscores the potential high impact of this vulnerability.
Compounding the risk, CISA has tagged a second vulnerability, CVE-2024-12686, as actively exploited. This medium-severity flaw allows attackers with admin privileges to inject commands and upload malicious files onto the target system. BeyondTrust discovered this issue last month while investigating breaches involving a ‘limited number’ of SaaS customers targeted by Chinese state-sponsored threat actors. The presence of these two vulnerabilities significantly increases the attack surface for organisations relying on BeyondTrust solutions.
A Staged Attack Sequence
The exploitation of CVE-2024-12356 follows a structured attack path. Threat actors first identify organisations using BeyondTrust solutions, conducting reconnaissance to locate exposed instances. Once a vulnerable system is detected, attackers craft and deploy a malicious payload designed to exploit the command injection flaw. When executed, this payload injects and runs unauthorised commands, granting attackers full control over the system.
The delivery method often involves compromised web interfaces or direct network breaches. BeyondTrust has confirmed that internet-facing deployments of their software are actively targeted, reinforcing the need for organisations to limit external exposure. Once attackers establish initial access, they entrench themselves by deploying additional tools to maintain persistence.
At this stage, adversaries frequently set up covert Command-and-Control (C2) channels, enabling data exfiltration, privilege escalation, and lateral movement. Given the involvement of Chinese state-sponsored threat actors, these vulnerabilities appear to be leveraged for espionage and system compromise rather than just opportunistic attacks.
As the attack progresses, adversaries work toward their objectives, whether stealing sensitive data, disrupting operations, or launching secondary attacks from the compromised system. Without rapid detection and mitigation, the consequences can be severe and long-lasting.
Proactive Mitigation Measures
With active exploitation of CVE-2024-12356 and CVE-2024-12686, organisations must act swiftly to patch affected systems and implement additional security controls.
BeyondTrust has confirmed that these vulnerabilities affect Privileged Remote Access versions prior to 23.2 and Remote Support before 23.3.2. The company has released patches addressing these flaws and strongly urges customers to apply updates immediately. Additionally, BeyondTrust advises organisations to restrict external access to these services, reducing the risk of exposure.
Beyond patching, continuous monitoring for indicators of compromise (IoCs) is essential. Reviewing system logs for unusual command executions, unexpected privilege escalations, or unauthorised file uploads can help detect early attack attempts. BeyondTrust’s own investigation into Chinese state-sponsored activity highlights the need for ongoing threat hunting to identify and remove any lingering adversary presence.
Strengthening access controls is also crucial. Attackers leveraging CVE-2024-12686 require admin privileges, meaning a least-privilege approach significantly reduces exploitation risk. Regular security audits, penetration testing, and employee security training further bolster defences against these threats.
Closing Thoughts
The exploitation of CVE-2024-12356 and CVE-2024-12686 underscores the increasing sophistication of cyber threats targeting privileged access solutions. Attackers—particularly state-sponsored adversaries—continue to refine their tactics, focusing on vulnerabilities in widely deployed enterprise security tools.
Mitigating these risks requires a proactive approach, combining rapid patching, continuous monitoring, and strict access controls. Cyber resilience depends not just on defensive measures, but on early detection and fast response. This incident serves as a stark reminder that privileged access security must be prioritised, not overlooked.
References:
NVD – CVE-2024-12356 (nvd.nist.gov)
CVE-2024-12356 | CVE & MITRE Mapping (cvelib.com)
BT24-10 (beyondtrust.com)
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
