The digital landscape is a relentless battleground, and threat actors constantly refine their tactics to exploit new vulnerabilities and bypass established security measures. A recent, particularly insidious campaign orchestrated by a financially motivated threat group dubbed Storm-2755 highlights this concerning evolution. Their target? Employee salaries. Utilizing sophisticated Adversary-in-the-Middle (AiTM) session hijacking techniques, Storm-2755 has been quietly rerouting paychecks, bypassing multi-factor authentication (MFA), and executing what researchers are calling “payroll pirate” attacks, primarily targeting Canadian workers. Understanding this methodology is crucial for fortifying organizational defenses against an increasingly adaptive adversary.

Understanding the Storm-2755 AiTM Campaign

The Storm-2755 campaign represents a significant shift in threat actor methodology, moving beyond simple credential theft to actively manipulating authenticated user sessions. This financially motivated group is executing highly targeted attacks designed to siphon off employee salary payments directly into attacker-controlled bank accounts.

The core of their technique revolves around Adversary-in-the-Middle (AiTM) session hijacking. Unlike traditional phishing, where attackers merely steal credentials for later use, AiTM attacks intercept and proxy an entire user session in real-time. This allows the attackers to capture legitimate session cookies that prove a user has successfully authenticated, even if that authentication included an MFA challenge. With these session cookies, Storm-2755 can impersonate the legitimate user, access their payroll information, and modify direct deposit details without needing the user’s password or MFA code again.

The Attack Chain: From SEO Poisoning to Payroll Piracy

The sophistication of the Storm-2755 campaign begins long before the session hijacking takes place. Their multi-stage attack typically unfolds as follows:

• SEO Poisoning and Malvertising: The initial compromise often stems from compromised search engine results or malicious advertisements. Attackers manipulate search engine optimization (SEO) to push their malicious sites higher in search rankings or purchase ad space to display deceptive links. Users searching for legitimate services or information may inadvertently click on these malicious links.
• Phishing Lures: Once a user lands on a malicious site, they are typically presented with a highly convincing phishing page designed to mimic legitimate login portals – often for corporate HR systems, financial institutions, or other services where payroll information might be accessed. These pages are crafted to appear indistinguishable from the real thing.
• Real-time AiTM Proxying: When a victim attempts to log in on the phishing page, the AiTM infrastructure acts as a proxy. It forwards the victim’s credentials (username, password, and critically, the MFA token) to the legitimate service. Once the legitimate service authenticates the user and issues a session cookie, the AiTM server captures this cookie.
• Session Hijacking: With the legitimate session cookie in hand, Storm-2755 attackers can then bypass all authentication mechanisms. They use this cookie to log into the victim’s account on the genuine target platform (e.g., a payroll portal) as if they were the legitimate user.
• Salary Redirection: The final, devastating step involves navigating to the victim’s direct deposit or bank account settings within the payroll system and changing the legitimate bank account details to one controlled by the threat group. This ensures that subsequent salary payments are rerouted directly to the attackers.

Why AiTM Bypasses MFA

Multi-Factor Authentication (MFA) is a critical security control designed to prevent unauthorized access even if primary credentials are compromised. However, AiTM attacks fundamentally circumvent MFA by targeting the session after successful authentication. When an AiTM proxy intercepts the login process, it captures the session token or cookie that proves successful authentication, including the MFA challenge. The attack doesn’t try to guess the MFA code; it waits for the legitimate user to provide it to the real service and then steals the resulting valid session. This is why solutions beyond traditional MFA are necessary to combat such advanced persistent threats.

Remediation Actions and Proactive Defense

Defending against sophisticated AiTM campaigns like Storm-2755 requires a multi-layered approach that goes beyond traditional security measures. Organizations and individuals must be proactive in their defenses.

• Educate Employees on AiTM Phishing: Regular, targeted security awareness training is paramount. Emphasize the subtle differences in URLs, the dangers of unsolicited links, and the importance of verifying website legitimacy before entering credentials. Teach employees to scrutinize URLs for suspicious characters or misspellings and to always navigate directly to sensitive sites rather than clicking links from external sources.
• Implement FIDO2/WebAuthn for Phishing-Resistant MFA: Traditional MFA methods like SMS or authenticator apps can still be susceptible to AiTM. FIDO2 (Fast Identity Online) or WebAuthn standards offer phishing-resistant MFA by cryptographically binding authentication to the originating website. This prevents session cookies from being usable on imposter sites. For instance, the use of hardware security keys like YubiKey or Titan Security Key, linked to specific domains, provides robust protection.
• Leverage Conditional Access Policies: Implement robust conditional access policies that evaluate various signals before granting access. These signals can include device compliance, network location, IP reputation, and user behavioral analytics. If a session originates from an unusual location or device after an otherwise legitimate login, it should trigger additional verification or block access.
• Continuous Monitoring and Threat Detection: Deploy security solutions that offer advanced threat detection capabilities, including behavioral analytics and anomaly detection. Systems should be capable of identifying unusual access patterns, rapid changes to sensitive user data (like bank account information), and connections from suspicious IP addresses. Monitoring for unusual login locations or impossible travel scenarios can help detect hijacked sessions.
• Regular Security Audits and Penetration Testing: Conduct regular assessments to identify potential weaknesses in your authentication flows and employee training. Penetration testing can specifically simulate AiTM scenarios to test the effectiveness of existing controls.
• Implement Strong Email Authentication (DMARC, DKIM, SPF): While this doesn’t directly stop AiTM, it significantly reduces the likelihood of initial phishing emails reaching inboxes by preventing email spoofing, making it harder for attackers to launch their malvertising or direct phishing campaigns.
• Zero Trust Architecture: Adopt a Zero Trust security model, where no user or device is inherently trusted, regardless of whether they are inside or outside the network perimeter. Every access request is verified, authorized, and continuously monitored, which can help detect and mitigate the impact of compromised sessions.

Conclusion

The Storm-2755 “payroll pirate” campaign serves as a stark reminder that cybercriminals are constantly innovating, pushing the boundaries of traditional attack vectors. Their use of AiTM session hijacking to bypass even MFA demonstrates a sophisticated understanding of security protocols and a relentless pursuit of financial gain. For organizations and individuals alike, understanding these advanced threats is the first step toward effective defense. By implementing phishing-resistant MFA, enhancing employee awareness, and adopting a proactive, multi-layered security posture, we can collectively harden our defenses against these evolving and insidious payroll attacks.