Emerging Threat: Rockstar 2FA Phishing Service Targets Microsoft 365 Credentials

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include active exploitation of the “Rockstar 2FA” phishing-as-a-service platform to bypass MFA via AiTM attacks, compromising Microsoft 365 accounts through session cookie hijacking, and the discovery of a zero-day vulnerability in Windows allowing NTLM credential theft when users view malicious files in Explorer. Threat actors are also exploiting the CVE-2024-11667 flaw in Zyxel firewalls for ransomware deployment, while phishing campaigns leveraging Microsoft Word’s file recovery feature distribute corrupted documents to harvest credentials via QR codes. Meanwhile, phishing tactics have grown more sophisticated, targeting users with highly credible themes like employee benefits to lure victims into credential theft. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Emerging Threat: Rockstar 2FA Phishing Service Targets Microsoft 365 Credentials

The ‘Rockstar 2FA’ phishing-as-a-service (PhaaS) platform is a sophisticated tool enabling adversary-in-the-middle (AiTM) attacks to bypass multifactor authentication (MFA) and steal credentials, with a focus on Microsoft 365 accounts. It mimics legitimate login pages, intercepts session cookies, and provides attackers direct account access. A subscription-based platform, it supports cybercriminals of all skill levels with automated phishing tools, branded login page themes, and evasion techniques like randomized code and Cloudflare Turnstile Captcha. It leverages diverse vectors such as email campaigns, QR codes, and legitimate hosting platforms (e.g., Google Docs) to enhance credibility. Cybersecurity researchers highlight its session hijacking tactics, antibot measures, and real-time admin tracking tools. Recommendations include conditional access policies, anomalous cookie detection, phishing awareness programs, and advanced email and web filtering. Organizations are advised to revoke suspicious session cookies promptly and monitor for unusual login patterns to mitigate risks associated with such advanced threats.

2. CVE-2014-2120: Active Attacks Target Decade-Old Cisco ASA WebVPN Vulnerability 

Cisco has issued a warning about active exploitation of a decade-old cross-site scripting (XSS) vulnerability (CVE-2014-2120) in its Adaptive Security Appliance (ASA) WebVPN. Threat actors, including the AndroxGh0st group, are using the flaw to deliver malware and integrate with the Mozi botnet. The vulnerability, rated 4.3 on the CVSS scale, stems from insufficient input validation in the WebVPN login page, allowing attackers to execute XSS attacks via malicious links. Exploitation has led to its inclusion in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, urging immediate remediation. Affected versions include Cisco ASA up to 8.4.7/9.1.4. Mitigation measures include upgrading to patched versions, implementing secure input validation, blocking malicious links through URL filtering, and monitoring ASA logs for suspicious activity. Organizations are also advised to educate users about phishing risks and review firewall configurations to minimize exposure.

3. Zero-Day Vulnerability in Windows Allows NTLM Credential Theft via File Explorer

A newly discovered zero-day vulnerability in Windows allows attackers to steal NTLM credentials when a victim merely views a malicious file in Windows Explorer, without opening it. Identified by cybersecurity researchers, the flaw affects Windows 7 through Windows 11 24H2 and Server 2022, with no official patch from Microsoft yet. The vulnerability forces an outbound NTLM connection to a remote share, automatically transmitting the user’s NTLM hashes, which attackers can exploit to extract login credentials. To mitigate risks, researchers have released a free temporary micropatch, installable without a system reboot. Alternatively, users can disable NTLM authentication via Group Policy or registry modifications. Impacted versions include Windows 7, 8.1, 10, and 11, as well as various Server editions. Users should apply available mitigations and monitor updates for an official patch to address this serious vulnerability.

4. CVE-2024-11667: Critical Flaw in Zyxel Firewalls Exploited by Helldown Ransomware

Zyxel firewalls are actively targeted via CVE-2024-11667, a directory traversal vulnerability rated 7.5 on the CVSS scale, allowing attackers to access sensitive files through the web management interface. Exploited by the Helldown ransomware group, this flaw provides initial network access, enabling ransomware deployment, data exfiltration, and configuration modifications. Helldown, known for double extortion tactics and multiplatform ransomware, uses advanced tools derived from LockBit 3 to target Windows and Linux systems. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, requiring remediation by December 24, 2024. Affected devices include ATP, USG FLEX, and USG20(W)-VPN series running firmware versions up to 5.38. Firmware version 5.39, released on September 3, 2024, addresses the issue. Organizations are advised to update firmware, restrict remote access, monitor logs, implement strong passwords, secure backups, and educate staff on ransomware risks to mitigate potential impacts.

5. Microsoft Word File Recovery Feature Exploited with Corrupted Documents

A phishing campaign exploits Microsoft Word’s file recovery feature by distributing corrupted Word documents as email attachments, often disguised as employee benefit announcements. These files bypass antivirus detection due to their damaged state but can be recovered by Word’s file recovery tool. Upon opening, users are prompted to scan a QR code that redirects to a phishing site mimicking Microsoft’s login portal, aiming to steal credentials. The campaign uses themes like “Annual Benefits & Bonus” and incorporates targeted company logos for credibility. The corrupted files contain no malicious code, relying solely on the phishing QR code tactic, which evades traditional security software. Recommendations include avoiding unverified email attachments, educating employees on phishing tactics, enabling advanced threat detection in email security tools, applying multi-factor authentication (MFA) for Microsoft accounts, and conducting phishing simulation exercises to bolster awareness and resilience against such unconventional attacks.