| Category | Details |
|---|---|
| Threat Actors | Rockstar2FA, FlowerStorm (possibly related to Storm-1575, Tycoon) |
| Campaign Overview | Disruption of Rockstar2FA, rise of FlowerStorm phishing-as-a-service (PaaS) |
| Target Regions (Victims) | USA, Canada, UK, Australia, Italy (mostly North America and Europe) |
| Methodology | Phishing campaigns via Telegram-controlled portals mimicking legitimate login pages, capturing credentials and MFA tokens |
| Product Targeted | Cloud platforms, SaaS, primarily Microsoft services (e.g., Office365, EntraID) |
| Malware Reference | Rockstar2FA, FlowerStorm (both are phishing kits) |
| Tools Used | Cloudflare CDN, Telegram bots, PHP scripts, Cloudflare Pages & Workers |
| Vulnerabilities Exploited | Phishing techniques to capture credentials and MFA tokens via fake login pages |
| TTPs | Use of decoy pages, credential and token exfiltration via backend servers, exploitation of Cloudflare security mechanisms |
| Attribution | Likely related to Storm-1575, Tycoon groups, no definitive link to actors |
| Recommendations | Monitor phishing activity, address misconfigurations, improve detection |
| Source | Sophos |
Read full article: https://news.sophos.com/en-us/2024/12/19/phishing-platform-rockstar-2fa-trips-and-flowerstorm-picks-up-the-pieces/
The above summary has been generated by an AI language model
Leave a Reply