An interruption to the phishing-as-a-service (PhaaS) toolkit known as Rockstar 2FA has led to a fast uptick in exercise from one other nascent providing named FlowerStorm.
“It seems that the [Rockstar2FA] group working the service skilled no less than a partial collapse of its infrastructure, with pages related to the service now not reachable,” Sophos stated in a brand new report printed final week. “This doesn’t look like due to a takedown motion, however as a consequence of some technical failure on the backend of the service.”
Rockstar2FA was first documented by Trustwave late final month as a PhaaS service that enables legal actors to launch phishing assaults which might be able to harvesting Microsoft 365 account credentials and session cookies, thereby circumventing multi-factor authentication (MFA) protections.
The service is assessed to be an up to date model of the DadSec phishing equipment, which is tracked by Microsoft underneath the title Storm-1575. A majority of the phishing pages have been discovered to be hosted on .com, .de, .ru. and .moscow top-level domains, though using .ru domains is believed to have shrunk over time.
Rockstar2FA seems to have suffered a technical interruption on November 11, 2024, when redirects to intermediate decoy pages generated Cloudflare time-out errors and the counterfeit login pages didn’t load.
Whereas it is not clear what induced the disruption, the void left by the PhaaS toolkit has resulted in a surge in phishing exercise related to FlowerStorm, which has been lively since no less than June 2024.
Sophos stated that each the companies share similarities on the subject of the format of the phishing portal pages and the strategies used to hook up with the backend servers for credential harvesting, elevating the opportunity of a typical ancestry. Additionally they abuse Cloudflare Turnstile so as to make sure that the incoming web page requests are usually not from bots.
It is suspected that the November 11 disruption represents both a strategic pivot in one of many teams, a change in personnel working them, or an intentional effort to decouple the dual operations. There isn’t any definitive proof linking the 2 companies at this stage.
Probably the most regularly focused nations utilizing FlowerStorm embrace the US, Canada, the UK, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India.
“Probably the most closely focused sector is the service business, with specific deal with corporations offering engineering, building, actual property, and authorized companies and consulting,” Sophos stated.
If something, the findings as soon as once more illustrate the continuing pattern of attackers utilizing cybercriminal companies and commodity instruments to hold out cyber assaults at scale even with out requiring a lot technical experience.