Back to Hub

Storm Malware Enables Silent Account Takeovers, Bypassing MFA via Session Hijacking

Imagen generada por IA para: El malware 'Storm' permite la apropiación silenciosa de cuentas, evadiendo MFA mediante secuestro de sesión

The cybersecurity landscape is confronting a paradigm shift as a new generation of credential theft malware renders some of the most trusted defenses obsolete. Dubbed 'Storm' by researchers, this sophisticated infostealer specializes in session cookie hijacking, enabling attackers to bypass passwords and multi-factor authentication (MFA) entirely. The emergence of this malware-as-a-service, available for a monthly subscription, coupled with state-sponsored attacks on network infrastructure, signals a critical escalation in the threat to digital identities.

The Mechanics of 'Session Hijacking 2.0'

Traditional credential theft focuses on usernames and passwords, which can be mitigated by MFA. Storm malware represents a dangerous evolution. Once installed on a victim's device—often via phishing or malicious downloads—it does not log keystrokes. Instead, it silently exfiltrates active session cookies from web browsers. These cookies are small pieces of data that websites use to remember a user's authenticated state after login. By stealing these cookies, an attacker can impersonate the victim's session directly, gaining full access to their accounts without ever needing the password or triggering a new login event. This method is alarmingly effective against MFA, as the authentication has already been completed by the legitimate user.

Security analysts note that this allows for 'silent' account takeovers. The attacker maintains persistent access for extended periods, as they are not changing passwords or logging in from unusual locations that might trigger security alerts. This persistence enables data theft, financial fraud, and lateral movement within corporate networks if the compromised account has privileged access.

Commoditization of Advanced Attacks

Perhaps most concerning is the commercialization of this capability. Reports indicate that turnkey versions of this malware are being offered on cybercriminal forums for less than $1,000 per month. This subscription model provides even novice threat actors with enterprise-grade account hijacking tools, complete with support and updates. The low cost and high effectiveness dramatically lower the barrier to entry, potentially leading to a surge in these types of attacks against businesses and individuals alike. The malware's infrastructure is designed to be stealthy, often using encrypted channels to send stolen cookies to command-and-control servers, making detection more difficult.

Parallel Threat: State-Sponsored Router Compromise

While commodity malware spreads, a separate but related threat is targeting the very foundation of internet connectivity. The Russian state-linked advanced persistent threat (APT) group known as APT28 (or Fancy Bear) has been conducting a global campaign targeting small office/home office (SOHO) routers, including popular models from TP-Link. According to joint advisories from the UK's National Cyber Security Centre (NCSC) and Microsoft, the group exploits known vulnerabilities in these devices to install malicious firmware.

This compromised firmware allows the attackers to hijack the router's Domain Name System (DNS) settings. DNS acts as the internet's phonebook, translating domain names (like google.com) into IP addresses. By controlling DNS, APT28 can redirect a user's internet traffic through attacker-controlled servers without their knowledge. This enables a range of malicious activities:

  1. Credential Harvesting: Users attempting to visit legitimate sites (e.g., email, banking) are transparently redirected to sophisticated phishing clones that capture login credentials and session cookies.
  2. Traffic Interception: All unencrypted web traffic can be monitored, capturing sensitive data.
  3. Persistence: The compromise resides on the network hardware, making it resistant to antivirus scans on individual computers and allowing the attackers to maintain a foothold even if individual devices are cleaned.

The UK government has explicitly warned that this campaign puts organizations at significant risk of credential theft, data manipulation, and broader network compromise, as employees working from home on compromised routers become an entry point into corporate systems.

Converging Threats and Mitigation Strategies

The convergence of these two trends—commodity session-hijacking malware and state-sponsored infrastructure attacks—creates a perfect storm. An individual could have their session cookies stolen by the Storm malware via a malicious email, while simultaneously having all their internet traffic surveilled and manipulated via a compromised home router.

This new reality demands a fundamental rethink of defense strategies. Relying solely on MFA is no longer sufficient. Security professionals must advocate for a layered approach:

  • Endpoint Security: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying processes that attempt to read browser cookie stores illicitly.
  • Session Management: Implement robust session management on web applications, including frequent session rotation, strict timeout policies, and the ability to revoke specific sessions from an admin panel.
  • Network Monitoring: Monitor for anomalous network traffic, particularly DNS requests to unknown or suspicious servers, which can indicate router compromise.
  • Hardware Security: Ensure all network hardware, especially routers and firewalls, is kept updated with the latest firmware. Replace equipment that is no longer supported by security patches.
  • Zero Trust Architecture: Adopt a Zero Trust model that continuously verifies device integrity and user identity, never implicitly trusting a session cookie alone. Context-aware access controls that analyze login location, device health, and user behavior are crucial.
  • User Education: Train users to recognize phishing attempts and the dangers of downloading unauthorized software. Encourage the use of corporate VPNs when accessing sensitive resources from home networks.

The 'Storm' campaign and APT28's router hijacking operations are a stark reminder that attackers are innovating faster than many defensive paradigms can adapt. The era of relying on MFA as a silver bullet is over. The cybersecurity community must pivot towards defending the entire chain of trust—from the network hardware to the application session—to protect against this new generation of silent, persistent threats.

Original sources

NewsSearcher

This article was generated by our NewsSearcher AI system, analyzing information from multiple reliable sources.

Stolen session cookies give hackers full account access for under a thousand dollars per month without raising alerts

TechRadar
View source

'This puts organizations at risk of credential theft, data manipulation and broader compromise': UK government, Microsoft warn Russian hackers are hitting TP-Link home routers to hijack internet traff

TechRadar
View source

Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

The Hacker News
View source

Russian cyber criminals are hacking UK wifi routers to harvest personal information, British spies warn

The Sun
View source

⚠️ Sources used as reference. CSRaid is not responsible for external site content.

By Alvaro Salinas Cybersecurity Engineer
Malware
This article was written with AI assistance and reviewed by our editorial team.

Comentarios 0

¡Únete a la conversación!

Sé el primero en compartir tu opinión sobre este artículo.