Keypoints:
- Analysis of FlowerStorm, a phishing-as-a-service platform, reveals that 19 of its identified command and control domains were registered in Indonesia, indicating a direct connection to the country’s infrastructure.
- FlowerStorm emerged following the disruption of Rockstar2FA, suggesting a trend of threat actors adopting existing infrastructure for new phishing campaigns.
- Researchers identified 190 initial Indicators of Compromise (IoCs) for FlowerStorm, including domains and IP addresses, which were further expanded through DNS analysis.
- The expanded investigation uncovered hundreds of additional domains and IP addresses potentially linked to FlowerStorm’s operations through email and DNS connections.
- The majority of the initially identified domains were registered via Hostinger Operations and PDR, with a significant portion hosted in the U.S. and Malaysia, alongside Indonesia.
What the Indonesian Government and Related Institutions Should Do:
- Collaborate with domain registrars like CV Rumahweb Indonesia to investigate and potentially suspend the identified FlowerStorm-related domains registered within the country.
- Enhance monitoring of internet traffic and domain registrations originating from Indonesia to detect and disrupt phishing-as-a-service infrastructure like FlowerStorm.
What Indonesian Citizens Should Know and Do:
- Be increasingly vigilant about phishing attempts, especially those mimicking login pages or services previously associated with two-factor authentication platforms like Rockstar2FA.
- Organizations should review their domain registration records to identify any unexpected or suspicious domains registered under their name, as these could be exploited by PhaaS operations.
Read more..
https://circleid.com/posts/dns-spotlight-rockstar2fa-shuts-down-flowerstorm-starts-up