All news with #session hijacking tag

⚠️ The Siemens SIPROTEC 5 series employs insufficiently random values for session identifiers on a subset of web endpoints, enabling an unauthenticated remote actor to brute-force and hijack valid sessions. Exploitation can permit limited read access to web server information without authorization. Siemens is preparing fixes and recommends updating to V11.0 or later where available, validating updates, and applying network protections such as segmentation, firewalls, and controlled remote access procedures.

🔐 Cisco Talos has observed the CloudZ RAT paired with a previously undocumented plugin, Pheno, harvesting SMS messages and one-time passwords by abusing Microsoft's Phone Link functionality. Pheno scans for Phone Link processes and confirms active paired sessions before extracting synced SMS content from local SQLite files, allowing attackers to capture OTPs without touching the victim's mobile device. Observed since January 2026, the campaign uses a Rust loader, a .NET payload deployed via regasm.exe, and multiple anti-analysis techniques; Talos published IoCs and ClamAV signatures to aid detection.

🔒 Cybercrime clusters Cordial Spider and Snarky Spider are executing fast, low-footprint extortion campaigns that rely on vishing and SSO adversary-in-the-middle pages to harvest credentials and MFA codes. After registering devices and suppressing notification emails, attackers pivot directly into SaaS platforms such as Google Workspace, HubSpot, SharePoint, and Salesforce to locate and exfiltrate high-value files. Researchers note heavy use of living-off-the-land techniques and residential proxies to minimize detection.

🛡️ AiTM phishing evades credential theft by intercepting session tokens after legitimate logins, rendering stronger passwords and many MFA approaches insufficient on their own. While FIDO2 and passkeys reduce exposure at the authentication step, session cookies remain bearer tokens that can be replayed. The article recommends three practical controls—bind sessions to managed devices, monitor post-authentication anomalies, and shorten high-value session lifetimes—combined with targeted user guidance to stop attackers from exploiting captured sessions.

⚠️ A new infostealer dubbed Storm surfaced on underground marketplaces in early 2026, offering subscription-based credential and session theft for under $1,000 per month. Storm harvests browser passwords, session cookies, crypto wallets, autofill data, and app tokens, then uploads encrypted artifacts and performs server-side decryption to evade endpoint detection. The platform also automates cookie restoration using supplied Google refresh tokens and geographically matched SOCKS5 proxies, enabling silent session hijacking and persistent access to web services.

🔒 The perimeter model has broken down as workforces go hybrid, and many Zero Trust deployments miss a key link between identity and session authorization. Specops Device Trust argues that authentication must be contextualized with real-time device posture checks to prevent token theft and session hijacking. Binding identity to a verified device and continuous monitoring lets organizations enforce dynamic, low-friction policies that reduce risk.

🔒 Chrome Enterprise outlines five enhancements aimed at reinforcing browser security for organizations, addressing modern risks from session theft to malware-driven credential theft. Highlights include Device Bound Session Credentials to prevent session hijacking, cache encryption to protect data at rest, and App-bound encryption to block unauthorized apps from reading browser-stored secrets. Administrators also get tighter download controls and deeper integrations with partners such as Citrix and Okta to improve access decisions and incident response.

⚠️ Multiple authentication and session-management vulnerabilities in CTEK Chargeportal could allow remote attackers to impersonate charging stations, send unauthorized OCPP commands, or disrupt charging services. The highest-severity issue (CVE-2026-25192) affects WebSocket authentication and is rated CVSS 9.4 (Critical). Other flaws enable brute-force attempts, session hijacking, and exposure of station identifiers. CTEK plans to sunset Chargeportal in April 2026; operators should restrict network exposure, isolate control networks, and contact CTEK support for guidance.

🔎 Tycoon2FA emerged in August 2023 as a phishing-as-a-service platform that provided adversary-in-the-middle (AiTM) capabilities to relay authentication flows and capture session cookies. Its web-based admin panel centralized templates, redirects, hosting, CAPTCHA, and exfiltration controls while exposing real-time metrics. Fast-moving short-lived domains, Cloudflare hosting, and heavy obfuscation let low-skill operators run scalable campaigns against MFA-protected accounts worldwide.

🔒 CISA reports multiple critical vulnerabilities in Everon OCPP Backends (api.everon.io) that permit unauthenticated access, session hijacking, credential exposure, and denial-of-service. The advisory details four CVEs, including a CVSS 3.1 score of 9.4 for missing authentication on WebSocket endpoints. Everon reportedly shut down the platform on December 1, 2025; CISA recommends isolating control networks, restricting Internet access, and using secure remote access methods.

🔒 CISA reports multiple vulnerabilities in Chargemap's public charging infrastructure that could allow attackers to impersonate charging stations, hijack sessions, and disrupt services. The most severe issue (CVE-2026-25851) involves unauthenticated OCPP WebSocket endpoints and carries a CVSS 3.1 base score of 9.4. Chargemap did not respond to coordination; users should contact vendor support and reduce network exposure until fixes are available.

⚠️ CISA warns of multiple critical vulnerabilities in CloudCharge cloudcharge.se affecting OCPP WebSocket endpoints (four CVEs, highest CVSS 9.4). Exploits can enable station impersonation, session hijacking, credential exposure, and large-scale denial of service by suppressing or misrouting telemetry. CloudCharge did not respond to coordination requests; operators should apply network mitigations and restrict Internet exposure. CISA identifies Energy and Transportation sectors as at risk worldwide.

🔒 Successful exploitation of vulnerabilities in SWITCH EV charging infrastructure could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate telemetry, and manipulate backend data. The advisory identifies four CVEs affecting all product versions, including CVE-2026-27767 with a CVSS 3.1 base score of 9.4 (Critical). Vendor coordination was not received; CISA recommends minimizing network exposure, isolating control-system networks, using secure remote access, and contacting the vendor for remediation status. No known public exploitation has been reported.

🔒 CISA reports multiple critical vulnerabilities in EV2GO ev2go.io WebSocket interfaces that allow unauthenticated actors to impersonate charging stations, hijack sessions, and manipulate backend data. Exploitation can lead to large-scale denial of service, suppression or misrouting of legitimate telemetry, and unauthorized control of charging infrastructure; affected versions are all and the highest CVSS score is 9.4. Vendor coordination was not received; operators should minimize Internet exposure, isolate ICS networks, and implement stronger authentication, session management, and rate limiting.

⚠ Mobility46 charging stations running mobility46.se are affected by multiple OCPP WebSocket vulnerabilities that can allow unauthorized administrative access, session hijacking, credential exposure, and denial-of-service. Four CVEs are documented, including one critical issue with a CVSS 3.1 base score of 9.4. Mobility46 did not respond to CISA coordination; operators should isolate devices, apply network controls, and contact the vendor for guidance.

🔒 CISA warns of multiple critical and high-severity vulnerabilities in EV Energy ev.energy software that could permit unauthorized administrative control, session hijacking, credential exposure, and denial-of-service against charging stations. The advisory identifies four CVEs (including CVE-2026-27772) affecting all versions and assigns a top CVSS score of 9.4 for the most severe issue. EV Energy did not respond to coordination requests; CISA recommends vendor fixes and immediate network hardening, including minimizing Internet exposure and restricting access to charge point endpoints.

🔒 Microsoft warns of a multi-stage adversary-in-the-middle (AitM) phishing and BEC campaign targeting the energy sector. The attackers abused SharePoint file-sharing and legitimate trusted addresses (a living-off-trusted-sites, LOTS, technique) to deliver credential-harvesting links, then used stolen session cookies and inbox rules to persist and hide activity. Microsoft says simple password resets are insufficient; organizations must revoke sessions, remove malicious rules, and enforce phishing-resistant controls.

🔒 Security researchers at Socket have identified a set of malicious Google Chrome extensions that targeted major HR and ERP platforms including Workday, Netsuite and SAP SuccessFactors. The extensions, which masqueraded as productivity tools, stole authentication cookies and session tokens, uploading them to a command-and-control server and revisiting targets every 60 seconds. More than 2,300 users downloaded the extensions from the Chrome Web Store before they were removed. Socket recommends using Chrome Enterprise extension allowlists and monitoring for extensions with similar platform targeting and permission requests.

🔒 A cluster of five malicious Chrome extensions posed as productivity tools but exfiltrated session cookies to attacker-controlled infrastructure, enabling account takeover. Researchers from Socket.dev identified variants such as DataByCloud Access, Data By Cloud 1/2, Software Access and Tool Access 11 targeting HR and ERP platforms like Workday, NetSuite and SuccessFactors. Some extensions stole cookies as often as every 60 seconds and used cookie injection (e.g., chrome.cookies.set()) while others blocked admin security pages, hampering incident response.

🔒 Socket discovered malicious Chrome extensions on the Web Store that mimicked productivity and security tools for enterprise HR and ERP systems and had been installed over 2,300 times. The five extensions targeted Workday, NetSuite, and SAP SuccessFactors, employing cookie exfiltration, DOM manipulation to block admin pages, and cookie injection to enable session hijacking. Google removed the extensions after notification; affected users should report use to administrators, perform incident response, and change credentials on impacted platforms.