The silent “Storm”: New infostealer hijacks sessions, decrypts server-side

Varonis researchers have identified a new infostealer malware dubbed 'Storm' that represents a significant evolution in credential theft techniques. Unlike traditional infostealers that perform local decryption of stolen browser data, Storm leverages server-side decryption capabilities, sending encrypted browser data directly to attacker-controlled servers. This approach enables the malware to bypass both password-based authentication and multi-factor authentication (MFA) protections by capturing active session tokens. The technique allows attackers to hijack legitimate user sessions without needing to crack credentials locally. Organizations should implement behavioral analytics to detect anomalous session activity, enforce strict session timeout policies, and monitor for unauthorized session token usage across network resources. Browser-based session protections and endpoint detection solutions should be reviewed for effectiveness against this novel attack vector.

New "Storm" infostealer skips local decryption, sending browser data to attacker servers. Varonis shows how server-side decryption enables session hijacking, bypassing passwords and MFA. [...]

Varonis researchers have identified a new infostealer malware dubbed 'Storm' that represents a significant evolution in credential theft techniques. Unlike traditional infostealers that perform local decryption of stolen browser data, Storm leverages server-side decryption capabilities, sending encrypted browser data directly to attacker-controlled servers. This approach enables the malware to bypass both password-based authentication and multi-factor authentication (MFA) protections by capturing active session tokens. The technique allows attackers to hijack legitimate user sessions without needing to crack credentials locally. Organizations should implement behavioral analytics to detect anomalous session activity, enforce strict session timeout policies, and monitor for unauthorized session token usage across network resources. Browser-based session protections and endpoint detection solutions should be reviewed for effectiveness against this novel attack vector. New "Storm" infostealer skips local decryption, sending browser data to attacker servers. Varonis shows how server-side decryption enables session hijacking, bypassing passwords and MFA. [...] New "Storm" infostealer skips local decryption, sending browser data to attacker servers. Varonis shows how server-side decryption enables session hijacking, bypassing passwords and MFA. [...]