Beware FlowerStorm 2FA bypass attacks
Update, Dec. 25, 2024: This story, originally published Dec. 23 now includes details of another 2FA bypass threat, AuthQuake, that has been fixed but serves as another warning to the dangers of thinking of two-factor authentication as being a security silver bullet.
Security researchers have warned that the demise of the Rockstar 2FA exploit service isn’t all good news—far from it, as here comes FlowerStorm, which could be the same threat that’s evolved. What Google and Microsoft users need to know.
The Demise Of Rockstar 2FA And The Rise Of FlowerStorm 2FA Bypass Attacks—What Google And Microsoft Users Need To Know
Regular readers will no doubt recall the warning regarding a two-factor authentication bypass exploit attack service called Rockstar 2FA, not least as that warning came less than a month ago. Based on telemetry gathered by Sophos researchers,” the security outfit said, “it appears that the group running the service experienced at least a partial collapse of its infrastructure, with pages associated with the service no longer reachable.” This, the researchers were quick to point out, was not apparently down to law enforcement takedown action as is often the case. You might think, therefore, that reports of the death of Rockstar 2FA were a good thing. I’m not so sure, and nor is Sophos it would seem.
So, while it’s not bad news that some of that Rockstar 2FA infrastructure, such as Telegram channels used for command and control or pages that return a HTTP 522 response currently, a connection timed out error specific to Cloudflare, that another threat has filled the void most certainly is. That new threat comes by way of something called FlowerStorm, and there are some strong signs that it might not be as new as it seems.
The FlowerStorm 2FA Bypass Threat Explained
In a Dec. 19 report, the principal threat researcher at Sophos X-Ops, Sean Gallagher, and Mark Parsons, a threat hunter for Sophos Managed Detection and Response, warned that “in the weeks following the disruption of Rockstar2FA, we observed a surge in the use of a similar set of PaaS portals that have been tagged by some researchers as “FlowerStorm”—the name coming from the use of plant-related terms in the HTML page titles of many of the phishing pages themselves.” Interestingly, the FlowerStorm phishing-as-a-service resource shares a number of features with Rockstar, according to Sophos. The FlowerStorm 2FA exploit platform has been active since at least June, 2024, according to Sophos, but has a “significant number of similarities to Rockstar2FA,” including the format of its phishing portal pages and the connection to its backend server.
Mitigating The FlowerStorm 2FA Bypass Threat
Google and Microsoft users are advised to be alert for any signs of phishing as this is how most 2FA bypass attacks, inlcuding this one, begin. See what Paul Walsh of MetaCert has to say about that here, but meanwhile a Google spokesperson said there are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks.” Such security keys are known to be a stronger protection against “automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication,” according Google.
2FA Systems Based On Shared Secrets Are Inherently Vulnerable, Security Experts Warn
According to a recent analysis from researchers based at Oasis Security, a critical vulnerability in Microsoft’s 2FA implementation could have enabled attackers to bypass this additional layer of authentication protection and gain unauthorized access to users’ Office 365 Microsoft accounts. Here’s what you need to know about the AuthQuake vulnerability.
AuthQuake relied upon one worryingly simple vulnerability, as is often the case with such things, namely that there was a relatively easy way to get around the 10-attempt code fail rate limit meant to prevent an attacker from executing multiple, simultaneous, 2FA code entry attempts. Given a side-digit 2FA code, the AuthQuake vulnerability could have enabled an attacker to quickly work through the options and crack the code. As I reported at the time, the Oasis researchers both identified and successfully demonstrated the 2FA bypass, “which required no user interaction, generated no alerts and could be executed in under 70 minutes with a 50% success rate.”
Oasis reported the flaw to Microsoft, and a fix was deployed on Oct. 9, although the full details of that fix remain confidential. “We appreciate the partnership with Oasis security in responsibly disclosing this issue. We have already released an update, and no customer action is required,” a Microsoft spokesperson said.
AuthQuake exposed significant flaws in Microsoft’s 2FA implementation, according to Jason Soroko, a senior fellow at Sectigo, which provides certificate lifecycle management services. “Authentication systems based on shared secrets are inherently vulnerable,” Soroko said, “this discovery is a wake-up call. Organizations must act to adopt patches and reconsider their reliance on outdated MFA solutions. We must strive toward passwordless authentication solutions…”