FOCUS MODE
EXTRACT IOC
Threat Research

BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique

GoogleCloudIntel
BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique
The article discusses the increasing threat of Browser in the Middle (BitM) attacks which allow adversaries to compromise user sessions across various web applications swiftly. While multi-factor authentication (MFA) is critical for security, sophisticated social engineering tactics can successfully bypass it by targeting session tokens. To combat these threats, organizations are urged to implement robust defenses such as hardware-based MFA, client certificates, and FIDO2.
Affected: web applications, organizations, users

Keypoints :

  • BitM attacks provide a streamlined approach to compromising sessions quickly across web applications.
  • MFA remains essential but can be bypassed by social engineering tactics targeting session tokens.
  • Organizations must implement robust defenses, including hardware-based MFA and client certificates to counterattack vectors.
  • MFA requires two or more authentication methods to enhance security but remains vulnerable when session tokens are targeted.
  • Tools like Evilginx2 are commonly used to capture user credentials and session tokens effectively.
  • Delusion, an internal tool developed by Mandiant, facilitates BitM attacks by allowing operators to target applications without prior knowledge of authentication methods.
  • FIDO2 security keys and certificate-based authentication can significantly mitigate BitM threats.
  • A layered security approach is crucial for protecting sensitive data and maintaining secure access to restricted networks.

MITRE Techniques :

  • Technique: Browser in the Middle (BitM) [TXXXX] – Procedure: Utilizes browser functionalities to convince victims they are browsing securely while actions are performed on the attacker’s machine.
  • Technique: Credential Dumping [TXXXX] – Procedure: Captures session tokens and user credentials through phishing methods like Evilginx2.
  • Technique: Phishing [TXXXX] – Procedure: Red team operators manipulate HTTP requests to extract sensitive information after successful authentication.

Indicator of Compromise :

  • [URL] https://mrd0x.com/bypass-2fa-using-novnc/
  • [URL] https://link.springer.com/article/10.1007/s10207-021-00548-5
  • [URL] https://fhlipzero.io/blogs/6_noVNC/noVNC.html
  • [URL] https://github.com/JoelGMSec/EvilnoVNC
  • [URL] https://github.com/fkasler/cuddlephish

Full Story: https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-browser-in-the-middle/

Tags: CREDENTIAL, INITIAL ACCESS, ACTIVE DIRECTORY, PROXY, TOOL, CLOUD, PASSWORD, SOCIAL ENGINEERING