Storm-2755 Targets Canadian Employees with AiTM Payroll Hijacking

Severity: High (Score: 66.5)

Sources: Cybersecuritynews, Bleepingcomputer, Blogs.Microsoft

Summary

A financially motivated group known as Storm-2755 has initiated a campaign to reroute employee salary payments to accounts they control, primarily affecting Canadian workers. Utilizing adversary-in-the-middle (AiTM) techniques, the attackers hijack authenticated sessions and bypass multi-factor authentication (MFA). The campaign begins with SEO poisoning and malvertising to compromise employee accounts. Microsoft DART researchers have identified this emerging threat, which has been labeled as 'payroll pirate' attacks. The exact number of affected individuals remains unspecified, but the implications for financial security are significant. The attack vector exploits weaknesses in session management, posing a serious risk to organizations that do not have robust security measures in place. Current status indicates ongoing investigations and heightened awareness among cybersecurity professionals. Organizations are urged to monitor for unusual activity in payroll systems. Key Points: • Storm-2755 employs AiTM techniques to hijack employee salary payments. • The campaign targets Canadian workers through SEO poisoning and malvertising. • Organizations must enhance security measures to protect against session hijacking.

Key Entities

• Data Breach (attack_type)
• Man-in-the-Middle (attack_type)
• Phishing (attack_type)
• Payroll Pirate (campaign)
• Payroll Pirate Campaign (campaign)
• United States (country)
• T1078 - Valid Accounts (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• Exchange Online (platform)
• Microsoft 365 (platform)
• Workday (company)
• AiTM Frameworks (tool)