New ‘Storm’ Infostealer Targets Browser Data with Server-Side Decryption to Hijack Sessions
A newly identified infostealer named 'Storm' is distinguished by its ability to skip local decryption of stolen browser data, instead transmitting it to attacker-operated servers for decryption. According to cybersecurity firm Varonis, this server-side decryption allows attackers to hijack sessions effectively, bypassing traditional security measures such as passwords and multifactor authentication.
What happened
Cybersecurity researchers at Varonis have uncovered a new infostealer called 'Storm' that targets browser-stored information. Unlike conventional infostealers that decrypt credentials locally on the victim’s machine, Storm transmits encrypted browser data directly to its command-and-control servers. The attackers then perform decryption on their servers, which enables them to access session tokens and other sensitive information stored in browsers.
Why it matters
This server-side decryption approach marks a deviation from typical infostealer tactics, making detection and defense more challenging. By hijacking authenticated sessions, 'Storm' can circumvent not only stored passwords but also protections offered by multifactor authentication, posing increased risks to user accounts and sensitive systems. The technique highlights evolving attacker strategies targeting browser session tokens rather than just credentials.
What security teams should do
Security teams should increase monitoring for unusual outbound network traffic that may indicate data exfiltration to attacker-controlled servers. Reviewing session management and implementing additional controls on session expiration and invalidation can help mitigate risks from stolen session tokens. Ensuring browser security settings, including restricting access to session cookies and considering endpoint protection capable of identifying infostealer behavior, is advisable.
Key technical details
The 'Storm' infostealer specifically targets browser data, capturing stored encrypted credentials and session data. Instead of decrypting data locally, it sends this encrypted data to attacker servers where decryption occurs. This server-side process enables attackers to extract valid session tokens, allowing them to hijack user sessions effectively. This method bypasses password security and multifactor authentication mechanisms, as the attackers leverage already authenticated session states rather than brute forcing credentials.
Affected organizations/products
The infostealer targets browser-stored data, potentially affecting any users or organizations relying on browser-based authentication and session storage. Specific affected organizations or browser types have not been detailed in the disclosure.
Source attribution
