One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8617947 |
| Date de publication | 2024-11-26 21:59:55 (vue: 2024-11-26 22:08:27) |
| Titre | Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS) |
| Texte | ## Snapshot Researchers at Trustwave SpiderLabs have been tracking the growing use of the Rockstar 2FA phishing kit, which targets Microsoft accounts using Adversary-in-the-Middle (AiTM) techniques. ## Description This kit enables attackers to bypass multifactor authentication (MFA) by intercepting session cookies and credentials. Its campaigns feature spoofed Microsoft 365 login portals, aiming to trick victims into revealing sensitive information. According to TrustWave, the Rockstar 2FA kit is an evolution of the DadSec/Phoenix kit and marketed on platforms like Telegram, offering advanced features such as 2FA bypass, randomized code generation, and antibot measures. Subscription plans start as low as $200, making it accessible to cybercriminals. Threat actors use sophisticated social engineering techniques, including phishing emails themed around document sharing, payroll alerts, and voicemail notifications, delivered via trusted platforms to evade detection. A large Rockstar 2FA campaign also uses car-themed web pages and lures, TrustWave observed over 5,000 car-themed domains since May 2024. The phishing campaigns leverage Cloudflare Turnstile challenges to block automated analysis and employ obfuscated JavaScript to deliver either a phishing page or a decoy site based on user validation. Once victims enter their credentials, attackers gain access to both login details and session cookies, enabling account takeovers or subsequent attacks like business email compromise. Rockstar\'s campaigns, active since mid-2024, underscore the growing sophistication of Phishing-as-a-Service (PaaS) platforms. Their continued updates and integration of AiTM tactics highlight the importance of enhanced security measures to counteract these threats. ## Microsoft Analysis and Additional OSINT Context The actor group Microsoft tracks as [Storm-1575](https://security.microsoft.com/intel-profiles/a647864ed5679aef83782afd3e364c89d96df74b83512daf3ff8c2ba926ea632?tab=description&) is behind the development, support, and sale of a phishing-as-a-service (PhaaS) platform with [adversary-in-the-middle](https://security.microsoft.com/threatanalytics3/edd01a8c-283d-42f6-bdd4-0b7b4dbd369b/overview) (AiTM) capabilities. This platform, known as Dadsec, has been active since approximately May 5, 2023. The platform rapidly gained prominence among phishing actors. In July of 2023, Dadsec-related phishing constituted the largest volume of phishing attacks tracked by Microsoft. Dadsec has an open registration process, an increasingly common mode of operation among phishing services which lets large numbers of actors easily leverage their service. Dadsec also provides ready-built phishing pages and domains for the hosting of those pages, allowing phishing actors to launch phishing campaigns without developing the phishing websites themselves. These websites are designed to mimic legitimate web portals to harvest user credentials and authentication tokens. ## Recommendations - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo) merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically [identify and block](https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen) malicious websites, including those used in this phishing campaign. - [Require multifactor authentication (MFA).](https://learn.microsoft.com/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication)While AiTM phishing attempts to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats. - Leverage more secure implementations such as FIDO Tokens, or [Microsoft Authenticator](https://www. |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $200 **© 000 0b7b4dbd369b/overview 1575 2023 2024 2024** 283d 2fa 2fa: 365 365/admin/security 365/safe 365/security/defender 365/security/defender/microsoft 365/zero 42f6 about access access/concept access/overview accessed accessible according account accounts acquired across action active actor actors additional address advanced adversary aiming aitm alert alerts all allowing already also among analysis anti antibot antivirus any app approximately are around artifacts assets associated attachments attacker attackers attacks attempts authentication authenticator auto automated automatically avoid based bdd4 been behind block blocks blog/rockstar both breach breaches browsers built business bypass campaign campaigns can capabilities car center centralizing challenges circumvent cloud cloudflare code com/defender com/deployedge/microsoft com/en com/entra/identity/conditional com/intel com/microsoft com/security/mobile com/threatanalytics3/edd01a8c com/windows/security/threat common compliance/set compliant compromise conditional configure constituted contain content context continued continuous control cookies copyright counteract cover credentials cybercriminals dadsec dadsec/phoenix decoy defender defense deliver delivered description designed details detect detected detection developing development device devices distribution document does domains driven driving easily edge edr educate effective either email emails employ enable enables enabling encourage endpoint endpoint/automated endpoint/configure endpoint/edr endpoint/mtd enforced engineering enhanced enter enterprise equivalent essential evade evaluate evaluation even evolution evolving exploits factor feature features fido first force from full gain gained generation granular group growing harvest has have highlight highly host hosting hour https://learn https://security https://www identifies identify identities identity immediate implement implementation implementations importance incident including incoming increasingly information ins integration intelligence intercepting invest investigation investigations its jacking javascript july kit known large largest launch learning legitimate let lets leverage like links location login low lures machine mail mailboxes majority making malicious malware management marketed may mdo measures membership messages methods mfa microsoft mid middle mimic mobile mode monitor more multi multifactor neutralize new newly non not notifications numbers obfuscated observed offering office once on open operation organizations osint other others over overview paas paas/ page pages part passive passkey payroll permission phaas phishing pillar plans platform platforms policies portals post process product profiles/a647864ed5679aef83782afd3e364c89d96df74b83512daf3ff8c2ba926ea632 prohibited prominence protect protection protection/microsoft protections provides purge quarantine randomized rapidly ready recommendations reducing references registration related remains remediate remediation reproduction requests require requirements researchers reserved resolve response response retroactively revealing rights risks rockstar run running safe sale scam scenes secure security sensitive sent service services session sharing sight sign signals significantly sim since site sites smartscreen smartscreen/microsoft snapshot social solutions that sophisticated sophistication spam spiderlabs spoofed start status stolen stopping storm subscription subsequent such support suspicious tab=description& tactics take takeovers targets techniques telegram telephony themed themselves thereof these those threat threats tokens tools tracked tracking tracks trick trusted trustwave turn turnstile underscore unknown updates us/resources/blogs/spiderlabs use used user users uses using validation variants variety victims visited voicemail volume web websites when which without works written your zap zero the in malicious merges so |
| Tags | Spam Malware Tool Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.