Beware of FlowerStorm 2FA bypass attacks
Update, December 25, 2024: This story, originally published on December 23, now includes details of another 2FA bypass threat, AuthQuake, that has been patched, but serves as another warning about the dangers of thinking two-factor authentication as a silver bullet safety.
Security researchers have warned that the downfall of the Rockstar 2FA exploit service is not good news – far from it, as here comes FlowerStorm, which may be the same threat that has evolved. What Google and Microsoft users need to know.
Rockstar 2FA takedown and rise of FlowerStorm 2FA bypass attacks—What Google and Microsoft users need to know
Regular readers will no doubt remember the warning about a two-factor authentication bypass exploit attack service called Rockstar 2FA, no less than that warning came less than a month ago. Based on telemetry collected by Sophos researchers,” the security outfit said, “it appears that the group running the service experienced at least a partial collapse of its infrastructure, with sites connected to the service inaccessible.” This, the researchers put apparently it was not due to the actions of law enforcement as often happens. So you might think that the reports of the death of Rockstar 2FA were a good thing. I’m not so sure and neither does Sophos.
So while it’s not bad news that some of Rockstar’s 2FA infrastructure, such as Telegram channels used for command and control or pages that return an HTTP 522 response currently, a connection timeout error specific to Cloudflare, that another threat has filled the void for sure is. This new threat comes by way of something called Flower Storm, and there are some strong signs that it may not be as new as it seems.
FlowerStorm 2FA Bypass Threat Explained
In a December 19 report, Sophos X-Ops principal threat researcher Sean Gallagher and Mark Parsons, a Sophos managed detection and response threat hunter, warned that “in the weeks following the Rockstar2FA outage, we observed an increase in using a similar set of PaaS portals that have been labeled by some researchers as “FlowerStorm”—the name comes from the use of plant-related terms in the titles of the HTML pages of many of the phishing sites themselves.” Interestingly, the FlowerStorm phishing-as-a-service resource shares a number of features with Rockstar, according to Sophos. The FlowerStorm 2FA exploit platform has been active since at least June 2024, according to Sophos, but has a “significant number of similarities to Rockstar2FA”, including the format of its phishing portal pages and connection to its server supportive.
Mitigating the 2FA Flower Storm Bypass Threat
Google and Microsoft users are advised to be alert for any phishing signs as this is how most 2FA bypass attacks begin, including this one. See what MetaCert’s Paul Walsh has to say about it here, but in the meantime a Google spokesperson said it has “numerous protections to combat such attacks, including passkeys, which significantly reduce the impact of phishing and attacks other social engineering”. Such security keys are known to be a stronger defense against “automated bots, bulk phishing attacks and targeted attacks than SMS, app-based one-time passwords and other forms of traditional two-factor authentication,” according to Google.
2FA systems based on shared secrets are inherently vulnerable, security experts warn
According to a recent analysis by researchers based at Oasis Security, a critical vulnerability in Microsoft’s 2FA implementation could have enabled attackers to bypass this additional layer of authentication protection and gain unauthorized access to Microsoft Office accounts 365 of users. Here’s what you need to know about the AuthQuake vulnerability.
AuthQuake relied on a disturbingly simple vulnerability, as is often the case with such things, namely that there was a relatively easy way to overcome the code’s 10-try failure rate limit, which was intended to prevent an attacker from executing multiple times. , simultaneous, 2FA code entry. efforts. Given a 2FA side code, the AuthQuake vulnerability could have enabled an attacker to quickly work through the options and crack the code. As I reported at the time, Oasis researchers identified and successfully demonstrated the 2FA bypass, “which required no user interaction, generated no alerts, and could be executed in less than 70 minutes with a 50% success rate.
Oasis reported the bug to Microsoft and a fix was deployed on October 9, although the full details of that fix remain confidential. “We appreciate the partnership with Oasis Security in responsibly disclosing this matter. We have already released an update and no customer action is required,” a Microsoft spokesperson said.
AuthQuake exposed significant flaws in Microsoft’s 2FA implementation, according to Jason Soroko, a senior associate at Sectigo, which provides certificate lifecycle management services. “Authentication systems based on shared secrets are inherently vulnerable,” said Soroko, “this discovery is a wake-up call. Organizations must act to adopt patches and reconsider their reliance on outdated MFA solutions .We should strive towards passwordless authentication solutions…”