Ethical Hacking News
A new phishing-as-a-service (PhaaS) campaign, dubbed "Rockstar 2FA," has been targeting Microsoft 365 users with AI-driven tactics. The Rockstar 2FA PhaaS toolkit boasts an array of features designed to deceive even the most tech-savvy individuals. With its sophisticated AitM attack and range of features, this PhaaS campaign poses a significant threat to organizations using Microsoft 365 services.
Cybersecurity experts have warned about a sophisticated phishing-as-a-service (PhaaS) campaign called "Rockstar 2FA" targeting Microsoft 365 users with AI-driven tactics. The Rockstar 2FA PhaaS toolkit can intercept user credentials and session cookies, even for users with multi-factor authentication enabled. The platform is available for purchase at a subscription rate of $200 for two weeks or $350 for a month, making it accessible to cybercriminals with little-to-no technical expertise. The toolkit offers features such as 2FA bypass, cookie harvesting, and antibot protection, making it difficult for security tools to detect the attacks. Threat actors use various initial access vectors, including URLs, QR codes, and document attachments, to spread phishing campaigns. The Rockstar 2FA campaign has been observed using legitimate services like Atlassian Confluence and Microsoft OneDrive to host phishing links, taking advantage of the trust associated with these platforms.
Cybersecurity experts have sounded the alarm over a sophisticated phishing-as-a-service (PhaaS) campaign, dubbed "Rockstar 2FA," which has been targeting Microsoft 365 users with artificially intelligent (AI) tactics. The Rockstar 2FA PhaaS toolkit, developed by the creators of the notorious DadSec (aka Phoenix) phishing kit, boasts an array of features designed to deceive even the most tech-savvy individuals.
According to a report by Trustwave researchers Diana Solomon and John Kevin Adriano, the Rockstar 2FA campaign employs an AI-driven adversarial-in-the-middle (AitM) attack, which enables attackers to intercept user credentials and session cookies. This means that users with multi-factor authentication (MFA) enabled can still be vulnerable to phishing attacks.
The Rockstar 2FA PhaaS toolkit is available for purchase at a subscription rate of $200 for two weeks or $350 for a month, making it accessible to cybercriminals with little-to-no technical expertise. The platform offers a range of features, including:
1. Two-factor authentication (2FA) bypass: Allowing attackers to bypass MFA and gain access to user accounts.
2. 2FA cookie harvesting: Enabling the collection of session cookies, which can be used to gain unauthorized access to user accounts.
3. Antibot protection: Preventing automated analysis of phishing pages, making it harder for security tools to detect the attacks.
4. Login page themes mimicking popular services: Creating fake login pages that mimic legitimate services, making it difficult for users to distinguish between real and fake logins.
5. Fully undetectable (FUD) links: Generating links that are difficult to detect using traditional URL analysis techniques.
6. Telegram bot integration: Allowing attackers to interact with phishing victims through a fake Telegram bot.
The Rockstar 2FA campaign has been observed using various initial access vectors, including URLs, QR codes, and document attachments, which are embedded within messages sent from compromised accounts or spamming tools. The emails make use of diverse lure templates ranging from file-sharing notifications to requests for e-signatures.
In addition to its phishing capabilities, the Rockstar 2FA PhaaS toolkit has also been observed utilizing legitimate services like Atlassian Confluence, Google Docs Viewer, LiveAgent, and Microsoft OneDrive, OneNote, and Dynamics 365 Customer Voice to host phishing links. This tactic allows threat actors to take advantage of the trust that comes with these popular platforms.
"The phishing page design closely resembles the sign-in page of the brand being imitated despite numerous obfuscations applied to the HTML code," said Trustwave researchers Diana Solomon and John Kevin Adriano. "All the data provided by the user on the phishing page is immediately sent to the AiTM server. The exfiltrated credentials are then used to retrieve the session cookie of the target account."
This latest PhaaS campaign highlights the evolving nature of cyber threats, where attackers are becoming increasingly sophisticated in their tactics and techniques. As cybersecurity experts continue to monitor the threat landscape, it is essential for organizations to stay vigilant and take proactive measures to protect themselves against such attacks.
Related Information:
https://thehackernews.com/2024/11/phishing-as-service-rockstar-2fa.html
https://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign
https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/
https://www.pcrisk.com/removal-guides/10829-phoenix-ransomware
https://www.malwarebytes.com/blog/news/2021/07/cna-legal-filings-lift-the-curtain-on-a-phoenix-cryptolocker-ransomware-attack
Published: Fri Nov 29 06:20:47 2024 by llama3.2 3B Q4_K_M
