|
Bleeping Computer recently reported that a phishing-as-a-service (PhaaS) available in cybercriminal forums dubbed “Typhoon 2FA” has the ability to compromise Microsoft 365 and Google accounts even if users have two-factor authentication (2FA) enabled.
Sekoia security analysts uncovered the phishing kit back in October 2023 though they believe it has been active since at least August of that same year. Over time, they have been updating their Typhoon 2FA list of indicators of compromise (IoCs), which to date comprises 55 domains and 48 subdomains.
In a bid to know more about Typhoon 2FA, the WhoisXML API research team expanded the current list of IoCs and found:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
As our usual first step, we subjected the 55 domains identified as IoCs (48 of which were extracted from the subdomain IoCs) to a bulk WHOIS lookup, which revealed that:
A majority of the domains categorized as IoCs, 29 to be exact, were registered in the U.S. Seven domains identified as IoCs were registered in Pakistan and one each in Nigeria and the U.K. The registrant countries of two domains tagged as IoCs were redacted. Finally, 15 domains classified as IoCs did not have current registrant country data.
To further investigate possible ties other digital properties may have to Typhoon 2FA, we expanded the current list of IoCs.
First, we looked for domains that shared some of the domain IoCs’ registrant information using Reverse WHOIS Search and uncovered:
We then queried the 55 domains classified as IoCs on WHOIS History API and found 42 email addresses in their historical WHOIS records, 14 of which were public email addresses.
Next, we used the 14 public email addresses as Reverse WHOIS API search terms that led to the discovery of 262 email-connected domains after filtering out duplicates, the IoCs, and the registrant-connected (by email address, name, and organization) domains. A huge chunk of them seem to have been created using domain generation algorithms (DGAs) similar to the IoCs.
After that, we performed DNS lookups on the 55 domains categorized as IoCs that revealed they resolved to 21 unique IP addresses after removing duplicates.
A bulk IP geolocation lookup for the 21 IP addresses showed they were all geolocated in the U.S. A majority of them, 20 to be exact, were administered by Cloudflare, Inc., while one was furnished by Amazon.com, Inc.
Our Threat Intelligence API queries for the 21 IP addresses found that all were associated with various threats. In particular:
Reverse IP/DNS lookups for the 21 IP addresses revealed they were all shared hosts so we could not use any of them to find IP-connected domains.
So, we then trooped to Domains & Subdomains Discovery to uncover string-connected domains and subdomains resembling the IoCs.
Interestingly, some of the subdomains contained misspelled variants of popular brands like amazon (explore[.]amazonpi[.]betamazon[.]instructure[.]com), netflix (explore[.]amcway[.]ciostage[.]netfliz[.]ca), apple (explore[.]apjle[.]beta[.]instructure[.]com), gmail (horizon[.]mpk[.]grail[.]com), and salesforce (rlpq[.]j[.]scaleforce[.]net), which could be weaponized should threat actors discover they have been left dangling and insufficiently secured.
Our in-depth investigation of the Typhoon 2FA DNS infrastructure through an IoC list expansion analysis enabled us to uncover 4,041 potentially connected artifacts comprising 288 registrant email address-connected domains, 110 registrant organization-connected domains, 262 email-connected domains, 21 IP addresses, 137 string-connected domains, and 3,223 string-connected subdomains. It is also worth noting that all the 21 IP addresses the threat actors used were associated with various threats, specifically, C&C, malware, phishing, attacks, and generic threats.
If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byVerisign