A sophisticated new infostealer is bypassing traditional endpoint security by moving the decryption of stolen browser data to attacker-controlled infrastructure. This technique allows the malware to exfiltrate raw session data without triggering local alerts or needing to interact with the local security subsystem.
The Storm infostealer specifically targets browser profiles to harvest cookies and saved credentials. By exfiltrating the raw data for server-side decryption, the adversary can hijack active sessions and bypass multi-factor authentication for cloud services and enterprise dashboards. This method effectively neutralizes on-device protection mechanisms that rely on intercepting the decryption process.
The shift toward server-side decryption is a strategic evolution in the malware landscape, reducing the local footprint and detection probability. When the decryption occurs off-box, traditional EDR and antivirus signatures are rendered ineffective against the exfiltration of the raw, encrypted data blobs.
– Enforce the use of phishing-resistant MFA and strictly manage session duration policies for sensitive cloud applications.
– Implement browser isolation or secure enterprise browsers to prevent the exfiltration of raw profile data from the endpoint.
– Monitor for anomalous outbound traffic patterns originating from browser processes to non-standard IP ranges.
– Rotate all administrative and cloud provider session tokens if an endpoint is suspected of a Storm infostealer infection.
Identity-based attacks are moving beyond the device; security must be enforced at the session and authentication layer to mitigate data exfiltration. #CodeDefence #Infostealer #SessionHijacking #CloudSecurity
/