Rockstar2FA Collapse Fuels Expansion of FlowerStorm Phishing-as-a-Service

Avatar
An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm. “It appears that the [Rockstar2FA] group running the service experienced at least a partial collapse of its infrastructure, with pages associated with the service no longer reachable,” Sophos said in a new report published last

An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm.

“It appears that the [Rockstar2FA] group running the service experienced at least a partial collapse of its infrastructure, with pages associated with the service no longer reachable,” Sophos said in a new report published last week. “This does not appear to be because of a takedown action, but due to some technical failure on the backend of the service.”

Rockstar2FA was first documented by Trustwave late last month as a PhaaS service that allows criminal actors to launch phishing attacks that are capable of harvesting Microsoft 365 account credentials and session cookies, thereby circumventing multi-factor authentication (MFA) protections.

The service is assessed to be an updated version of the DadSec phishing kit, which is tracked by Microsoft under the name Storm-1575. A majority of the phishing pages have been found to be hosted on .com, .de, .ru. and .moscow top-level domains, although the use of .ru domains is believed to have shrunk over time.

Rockstar2FA appears to have suffered a technical interruption on November 11, 2024, when redirects to intermediate decoy pages generated Cloudflare time-out errors and the counterfeit login pages failed to load.

While it’s not clear what caused the disruption, the void left by the PhaaS toolkit has resulted in a surge in phishing activity associated with FlowerStorm, which has been active since at least June 2024.

Sophos said that both the services share similarities when it comes to the format of the phishing portal pages and the methods used to connect to the backend servers for credential harvesting, raising the possibility of a common ancestry. They also abuse Cloudflare Turnstile in order to ensure that the incoming page requests are not from bots.

It’s suspected that the November 11 disruption represents either a strategic pivot in one of the groups, a change in personnel running them, or an intentional effort to decouple the twin operations. There is no definitive evidence linking the two services at this stage.

The most frequently targeted countries using FlowerStorm include the United States, Canada, the United Kingdom, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India.

“The most heavily targeted sector is the service industry, with particular focus on firms providing engineering, construction, real estate, and legal services and consulting,” Sophos said.

If anything, the findings once again illustrate the ongoing trend of attackers using cybercriminal services and commodity tools to carry out cyber attacks at scale even without requiring much technical expertise.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Top 10 Cybersecurity Trends to Expect in 2025

Next Post

⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips

Related Posts

Germany Disrupts BADBOX Malware on 30,000 Devices Using Sinkhole Action

Germany's Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country. In a statement published earlier this week, authorities said they severed the communications between the devices and their command-and-control (C2) servers by sinkholing the domains
Avatar
Read More

CISO Canberra

[[{“value”:” November 14, 2024 Location: Canberra Rex Hotel, Australia website: https://ciso-canberra.coriniumintelligence.com/ Join the collective effort to safeguard government…
Avatar
Read More