Storm-2755 Targets Canadian Paychecks While Google Finally Ships Session Protection
Storm-2755 Targets Canadian Paychecks While Google Finally Ships Session Protection
I’ve been following some interesting developments this week that really highlight how attackers are getting creative with their targeting while defenders are slowly catching up with better protections. Let me walk you through what caught my attention.
Payroll Pirates Hit Canadian Workers
Microsoft’s threat intelligence team has been tracking something they’re calling “payroll pirate attacks” - and honestly, the name fits perfectly. A group they’ve designated Storm-2755 has been specifically targeting Canadian employees by hijacking their accounts to redirect salary payments. Microsoft: Canadian employees targeted in payroll pirate attacks
What makes this particularly nasty is the timing and precision. These aren’t random credential stuffing attacks - Storm-2755 is clearly doing their homework on Canadian payroll systems and employee databases. The financial motivation is obvious, but the geographic specificity suggests they’ve found something unique about how Canadian organizations handle payroll processing that makes this attack vector viable.
From a defensive standpoint, this reinforces why we need to treat payroll systems with the same security rigor as financial systems. Too many organizations still think of HR and payroll as “back office” functions that don’t need enterprise-grade security controls. Storm-2755 is proving that assumption wrong, one stolen paycheck at a time.
Medical Imaging Under Attack
Speaking of targeted attacks, researchers have uncovered some serious vulnerabilities in Orthanc DICOM servers that could lead to crashes and remote code execution. Orthanc DICOM Vulnerabilities Lead to Crashes, RCE
For those not familiar with DICOM, it’s the standard for medical imaging data - think X-rays, MRIs, CT scans. Orthanc is an open-source server that healthcare organizations use to store and manage these images. The fact that attackers could potentially crash these systems or execute arbitrary code is genuinely concerning when you consider the critical nature of medical imaging in patient care.
What worries me most about medical infrastructure vulnerabilities is the potential for both immediate harm and long-term data theft. A denial-of-service attack against imaging systems could delay critical diagnoses, while data exfiltration could expose sensitive patient information. Healthcare organizations running Orthanc need to prioritize these patches immediately.
Chrome Finally Gets Device-Bound Sessions
On the positive side, Google has rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows users. Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows
This is actually a big deal that I think will fly under most people’s radar. DBSC essentially ties your session tokens to specific hardware, making it much harder for attackers to steal and reuse your authenticated sessions. We’ve all seen cases where someone gets their session cookie stolen through malware or network interception, and suddenly the attacker has full access to their accounts.
The Windows-first rollout makes sense given the platform’s larger attack surface, and I’m glad to see Google taking a measured approach rather than rushing this out everywhere at once. MacOS support is coming in future releases, which should give them time to work out any compatibility issues.
JavaScript Obfuscation Gets Sneaky
The SANS Internet Storm Center flagged an interesting JavaScript sample that’s worth discussing. They found a file called “cbmjlzan.JS” being distributed via phishing emails in RAR archives, and what’s notable is how poorly it’s being detected - only 15 out of the major antivirus engines on VirusTotal are flagging it as malicious. Obfuscated JavaScript or Nothing
This low detection rate tells us that the obfuscation techniques being used are still effective against signature-based detection. It’s a good reminder that we can’t rely solely on traditional antivirus for JavaScript-based threats. Organizations need to be implementing behavior-based detection and user education about suspicious email attachments, especially when they’re asking users to extract and run files from archives.
The Bigger Picture
Looking at these incidents together, I see a few common themes that we should be thinking about. First, attackers are getting more specialized in their targeting - whether it’s Canadian payroll systems or medical imaging infrastructure. This suggests we need to move beyond generic security frameworks and start thinking about industry-specific threat models.
Second, the timeline between security improvements and actual deployment continues to be frustratingly long. Google’s DBSC has been in development for years, and while it’s great to see it finally shipping, the slow rollout means most users are still vulnerable to session theft attacks.
Finally, the persistence of basic attack vectors like obfuscated JavaScript reminds us that fundamentals still matter. All the advanced threat detection in the world won’t help if users are still extracting and running suspicious files from email attachments.