The Rockstar 2FA phishing kit enables hackers to bypass multifactor authentication and steal Microsoft 365 credentials through advanced adversary-in-the-middle attacks.
Published: Dec 03, 2024
Key Takeaways:
Cybersecurity researchers have discovered a new phishing kit, dubbed Rockstar 2FA. The exploit toolkit enables hackers to steal Microsoft 365 credentials by bypassing multifactor authentication through sophisticated adversary-in-the-middle (AitM) attacks.
According to a new report published by Trustwave SpiderLabs, Rockstar 2FA is an updated version of the DadSec kit. Microsoft has identified that the toolkit has been designed by the Storm-1575 hacking group. It’s available through a subscription model and marketed on various platforms such as ICQ, Telegram, and Mail.ru.
“This campaign employs an AiTM attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multifactor authentication (MFA) enabled can still be vulnerable,” Trustwave researchers explained. “Microsoft user accounts are the prime target of these campaigns, as target users will be redirected to landing pages designed to mimic Microsoft 365 (O365) login pages.”
The Rockstar 2FA toolkit enables threat actors to bypass multifactor authentication (MFA) and harvest session cookies. It evades detection with FUD links, obfuscation, and QR codes. The toolkit lets attackers customize phishing themes and integrate their campaigns with Telegram bots.
The researchers observed that threat actors evade antispam filters by hosting phishing links on reputable platforms such as Atlassian Confluence, Google Docs Viewer, and Microsoft OneDrive. Once the toolkit redirects the victims, they encounter fake login portals that are designed to mimic legitimate websites. Credentials entered are sent to an AiTM server, allowing attackers to hijack accounts via session cookies.
Trustwave researchers recommend that organizations should strengthen their email filtering and detection systems. It’s advised that employees should educate employees on phishing and social engineering tactics. Administrators can use behavioral analytics to identify unusual account activity within their organizations.