BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique cloud.google.com/blog/topi…

Social engineering campaigns pose a significant threat to organizations and businesses as they capitalize on human vulnerabilities by exploiting cognitive biases and weaknesses in security awareness. During a social engineering campaign, a red team operator typically targets a victim’s username and password. A common mitigation used to address these threats are security measures like multi-factor authentication (MFA).

Red team operators have long targeted various methods of obtaining user session tokens with a high degree of success. Once a user has completed MFA and is successfully authenticated, the application typically stores a session token in the user’s browser to maintain their authenticated state. Stealing this session token is the equivalent of stealing the authenticated session, meaning an adversary would no longer need to perform the MFA challenge. This makes session tokens a valuable target for adversaries and red team operators alike.

BitM offers a number of advantages for red team operators when compared to traditional methods of stealing authenticated session tokens. A pivotal benefit of employing a BitM framework lies in its rapid targeting capability, allowing it to reach any website on the web in a matter of seconds and with minimal configuration. Once an application is targeted through a BitM tool or framework, the legitimate site is served through an attacker-controlled browser. This makes the distinction between a legitimate and a fake site exceptionally challenging for a victim. From the perspective of an adversary, BitM allows for a simple yet effective means of stealing sessions protected by MFA.