A sophisticated cyberattack technique known as Browser-in-the-Middle (BitM) has emerged, enabling hackers to bypass multi-factor authentication (MFA) and steal user sessions in mere seconds.
This method exploits web browser functionalities to hijack authenticated sessions, posing a significant threat to organizations relying on traditional security measures.
BitM attacks mimic legitimate browsing experiences by routing victims through an attacker-controlled browser. When a user visits a malicious website or follows a phishing link, their interactions are funneled through a proxied browser hosted on the attacker’s server.
This browser mirrors the appearance of the legitimate site, tricking victims into entering credentials and completing MFA challenges. Once authenticated, the attacker captures the session token stored in the browser, effectively stealing the user’s authenticated state.
Key Components of BitM:
- Transparent Proxies: Tools like Evilginx2 or Delusion (Mandiant’s internal tool) act as intermediaries between the victim and the target service. These proxies modify HTTP responses to replace legitimate domains with phishing domains, enabling session token extraction.
- Rapid Deployment: Unlike traditional transparent proxies requiring extensive customization, BitM frameworks like Delusion allow operators to target any website quickly. Features such as Firefox profile storage and automatic load balancing simplify large-scale phishing campaigns.
- Real-Time Monitoring: Attackers can observe victim interactions in real-time, enabling immediate session theft upon successful authentication.
BitM attacks are particularly dangerous because they bypass MFA, which many organizations consider their last line of defense. By capturing session tokens, attackers gain persistent access to accounts without needing the victim’s credentials again, Google said.
This method is effective against applications using virtual desktop infrastructure (VDI) or cloud services, where session hijacking can grant access to privileged networks.
- Corporate Security Risks: BitM can lead to data breaches, intellectual property theft, or complete Active Directory takeovers. Red teams often use these techniques to test organizational defenses, highlighting vulnerabilities in MFA reliance.
- Speed and Scalability: The ease of deploying BitM tools such as Delusion’s ability to scale containers and manage campaigns via tags—makes widespread attacks feasible. Victims may not notice the compromise until it’s too late.
While no system is entirely impenetrable, organizations can mitigate BitM risks through layered security:
- Hardware-Based MFA (FIDO2): Security keys like YubiKey or Google Titan enforce cryptographic challenges tied to specific domains. Attackers cannot replay FIDO2 responses across different websites, halting BitM attacks.
- Client Certificates: Binding authentication to device-specific certificates prevents session reuse on unauthorized devices. This method complements FIDO2 to block token hijacking1.
- Behavioral Monitoring: Tools that detect unusual login patterns or browser fingerprint discrepancies can flag potential BitM compromises.
- Security Awareness Training: Educating users to recognize phishing attempts (e.g., suspicious URLs or unsolicited authentication requests) remains critical1.
BitM signifies a major shift in cyber threats, using browser functionalities to evade traditional security measures. The speed and effectiveness of this attack require urgent attention from security teams globally.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
