Analysis Summary

With the abrupt closure of the Rockstar2FA cybercrime business, a new Microsoft 365 phishing-as-a-service platform called "FlowerStorm" is rising in popularity.

Rockstar2FA functioned as a PhaaS platform that enabled extensive adversary-in-the-middle (AiTM) attacks against Microsoft 365 credentials, as researchers first reported in late November 2024. The service, which sold access to hackers for $200 every two weeks, included a user-friendly panel, a variety of phishing techniques, and sophisticated evasion mechanisms.

On November 11, 2024, Rockstar2FA experienced a partial infrastructure failure that rendered several of its pages inaccessible, according to the researchers. This seems to be a technical issue rather than the result of law enforcement taking action against the cybercrime site. FlowerStorm, which debuted online in June 2024, began to acquire popularity a few weeks later.

Operators probably changed their name to lessen exposure because researchers discovered that the new service, FlowerStorm PhaaS, had many of the same features as Rockstar2FA. Researchers found several parallels between FlowerStorm and Rockstar2FA, pointing to a possible operational overlap or common ancestry. Both platforms leverage backend servers housed on domains like .ru and .com to capture passwords and MFA tokens through phishing portals that imitate authentic login pages (like Microsoft). FlowerStorm standardized with next.php, whereas Rockstar2FA used randomized PHP scripts.

Their phishing pages have a very similar HTML layout, with Cloudflare "turnstile" security features, random text in comments, and prompts like "Initializing browser security protocols." Although FlowerStorm switched to botanical themes and Rockstar2FA employed automotive themes, the overall concept remained the same. Methods for harvesting credentials that use fields like email, pass, and session tracking tokens are very similar. Through their backend systems, both platforms enable MFA authentication and email validation.

Cloudflare services and .ru and .com domains are heavily used, and there is a strong overlap between domain registration and hosting habits. Through late 2024, their activity patterns displayed synchronized rises and troughs, suggesting possible coordination. Both platforms showed tremendous scalability and operational errors that revealed underlying systems. FlowerStorm quickly grew following Rockstar2FA's demise, indicating a shared infrastructure, whereas Rockstar2FA oversaw more than 2,000 sites.

Other than noting that the kits at least show a shared lineage because of their similar contents, researchers are unable to establish a high degree of confidence between Rockstar2FA and FlowerStorm. The comparable domain registration trends may indicate that FlowerStorm and Rockstar were coordinating, but it's also plausible that market forces overshadowed the platforms' own motivations.

For individuals and companies, FlowerStorm is just another tool that facilitates harmful phishing attacks that have the potential to escalate into full-scale cyberattacks, regardless of the reason for its unexpected rise. According to the telemetry, around 84% of FlowerStorm's target users and 63% of the firms it targets are headquartered in the US. Services (33%), manufacturing (21%), retail (12%), and financial services (8%), are the industries most targeted. Use email filtering software, multi-factor authentication (MFA) with AITM-resistant FIDO2 tokens, and DNS filtering to prevent access to dubious domains like .ru, .moscow, and .dev to defend against phishing attempts.

Impact

• Credential Theft
• Unauthorized Access
• Identity Theft

Indicators of Compromise

Domain Name

• 1022627789.businesslawyeroutlook.com
• 1064557304.brandlawdocs.com
• 1066591224.invoicingconstructionlaw.com
• 1109388872.appinvoices.com
• 1261808697x.constructionfederal.com
• 1270872185.lawfinancelabel.com
• 1585794595.courtdocumentsupport.com
• 1883931553.database-server.com
• 1901534293.federaldocapp.com
• 5334635671.microsoftlawgroup.com
• 1430988701.uscourtbusinesslaw.com
• 1569742347.federalpayrollsolutions.com

IP

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.