An interruption to the phishing-as-a-service (PhaaS) toolkit known as Rockstar 2FA has led to a speedy uptick in exercise from one other nascent providing named FlowerStorm.
“It appears that the [Rockstar2FA] group running the service experienced at least a partial collapse of its infrastructure, with pages associated with the service no longer reachable,” Sophos stated in a brand new report revealed final week. “This does not appear to be because of a takedown action, but due to some technical failure on the backend of the service.”
Rockstar2FA was first documented by Trustwave late final month as a PhaaS service that enables legal actors to launch phishing assaults which can be able to harvesting Microsoft 365 account credentials and session cookies, thereby circumventing multi-factor authentication (MFA) protections.
The service is assessed to be an up to date model of the DadSec phishing equipment, which is tracked by Microsoft beneath the identify Storm-1575. A majority of the phishing pages have been discovered to be hosted on .com, .de, .ru. and .moscow top-level domains, though using .ru domains is believed to have shrunk over time.
Rockstar2FA seems to have suffered a technical interruption on November 11, 2024, when redirects to intermediate decoy pages generated Cloudflare time-out errors and the counterfeit login pages did not load.
Whereas it isn’t clear what induced the disruption, the void left by the PhaaS toolkit has resulted in a surge in phishing exercise related to FlowerStorm, which has been energetic since not less than June 2024.
Sophos stated that each the providers share similarities relating to the format of the phishing portal pages and the strategies used to connect with the backend servers for credential harvesting, elevating the opportunity of a standard ancestry. In addition they abuse Cloudflare Turnstile so as to be certain that the incoming web page requests aren’t from bots.
It is suspected that the November 11 disruption represents both a strategic pivot in one of many teams, a change in personnel working them, or an intentional effort to decouple the dual operations. There is no such thing as a definitive proof linking the 2 providers at this stage.
Essentially the most continuously focused international locations utilizing FlowerStorm embrace america, Canada, the UK, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India.
“The most heavily targeted sector is the service industry, with particular focus on firms providing engineering, construction, real estate, and legal services and consulting,” Sophos stated.
If something, the findings as soon as once more illustrate the continuing development of attackers utilizing cybercriminal providers and commodity instruments to hold out cyber assaults at scale even with out requiring a lot technical experience.
