Beware FlowerStorm 2FA bypass attacks
Security researchers have warned that the demise of the Rockstar 2FA exploit service isn’t all good news—far from it, as here comes FlowerStorm, which could be the same threat that’s evolved. What Google and Microsoft users need to know.
The Demise Of Rockstar 2FA And The Rise Of FlowerStorm 2FA Bypass Attacks—What Google And Microsoft Users Need To Know
Regular readers will no doubt recall the warning regarding a two-factor authentication bypass exploit attack service called Rockstar 2FA, not least as that warning came less than a month ago. Based on telemetry gathered by Sophos researchers,” the security outfit said, “it appears that the group running the service experienced at least a partial collapse of its infrastructure, with pages associated with the service no longer reachable.” This, the researchers were quick to point out, was not apparently down to law enforcement takedown action as is often the case. You might think, therefore, that reports of the death of Rockstar 2FA were a good thing. I’m not so sure, and nor is Sophos it would seem.
So, while it’s not bad news that some of that Rockstar 2FA infrastructure, such as Telegram channels used for command and control or pages that return a HTTP 522 response currently, a connection timed out error specific to Cloudflare, that another threat has filled the void most certainly is. That new threat comes by way of something called FlowerStorm, and there are some strong signs that it might not be as new as it seems.
The FlowerStorm 2FA Bypass Threat Explained
In a Dec. 19 report, the principal threat researcher at Sophos X-Ops, Sean Gallagher, and Mark Parsons, a threat hunter for Sophos Managed Detection and Response, warned that “in the weeks following the disruption of Rockstar2FA, we observed a surge in the use of a similar set of PaaS portals that have been tagged by some researchers as “FlowerStorm”—the name coming from the use of plant-related terms in the HTML page titles of many of the phishing pages themselves.” Interestingly, the FlowerStorm phishing-as-a-service resource shares a number of features with Rockstar, according to Sophos. The FlowerStorm 2FA exploit platform has been active since at least June, 2024, according to Sophos, but has a “significant number of similarities to Rockstar2FA,” including the format of its phishing portal pages and the connection to its backend server.
Mitigating The FlowerStorm 2FA Bypass Threat
Google and Microsoft users are advised to be alert for any signs of phishing as this is how most 2FA bypass attacks, inlcuding this one, begin. See what Paul Walsh of MetaCert has to say about that here, but meanwhile a Google spokesperson said there are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks.” Such security keys are known to be a stronger protection against “automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication,” according Google.
