Cyber Security News

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known as Browser-in-the-Middle (BitM), which allows hackers to hijack user sessions across various web applications in a matter of seconds.

This method exploits the inherent functionalities of web browsers to deceive victims into believing they are interacting with a secure connection, while in reality, their actions are being performed on the attacker’s machine.

BitM AttackBitM Attack
Monitoring the victim container

Exploiting Session Tokens

BitM attacks target session tokens, which are stored in a user’s browser after completing multi-factor authentication (MFA).

These tokens are crucial for maintaining an authenticated state, making them a prime target for adversaries.

Traditional methods, such as using transparent proxies like Evilginx2, require significant customization and can be time-consuming.

In contrast, BitM offers rapid targeting capabilities with minimal configuration, allowing hackers to reach any website quickly.

Defense Strategies

To counter these threats, organizations are advised to implement robust defenses.

Mandiant suggests using client certificates and hardware-based MFA solutions like FIDO2-compatible security keys.

FIDO2 authentication flow

These measures can effectively deter BitM attacks by requiring authentication elements that are difficult for attackers to manipulate.

For instance, FIDO2 keys ensure that authentication responses are tied to the request’s origin, preventing attackers from replaying them on different sites.

However, these protections are only effective if the device hosting the security keys or certificates remains uncompromised, emphasizing the need for a layered security approach.

The development of internal tools like Delusion by Mandiant demonstrates the potential scale of BitM attacks.

Delusion allows operators to target applications without prior knowledge of their authentication protocols, making session-stealing attacks more accessible.

While Mandiant has chosen not to publish Delusion due to weaponization concerns, open-source alternatives like EvilnoVNC and Cuddlephish are available for testing defenses against such threats.

As BitM attacks continue to evolve, organizations must prioritize robust authentication and access-control mechanisms to protect sensitive data and networks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score of…

20 minutes ago

IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux, and…

27 minutes ago

Cisco IOS Software SISF Vulnerability Could Enable Attackers to Launch DoS Attacks

Cisco has released security updates addressing a critical vulnerability in the Switch Integrated Security Features…

28 minutes ago

Seamless AI Communication: Microsoft Azure Adopts Google’s A2A Protocol

Microsoft has announced its support for the Agent2Agent (A2A) protocol, an open standard developed in…

32 minutes ago

Radware Cloud Web App Firewall Flaw Allows Attackers to Bypass Security Filters

Security researchers have uncovered two critical vulnerabilities in Radware’s Cloud Web Application Firewall (WAF) that…

43 minutes ago

ESET Reveals How to Spot Fake Calls Demanding Payment for ‘Missed Jury Duty’

ESET, a leading cybersecurity firm, has shed light on one particularly insidious scheme: fake calls…

1 hour ago