One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8656230 |
| Date de publication | 2025-03-17 05:00:00 (vue: 2025-03-17 14:08:10) |
| Titre | Bitm up! Session Volant en quelques secondes en utilisant la technique du navigateur dans le milieu BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique |
| Texte | Written by: Truman Brown, Emily Astranova, Steven Karschnia, Jacob Paullus, Nick McClendon, Chris Higgins
Executive Summary The Rise of Browser in the Middle (BitM): BitM attacks offer a streamlined approach, allowing attackers to quickly compromise sessions across various web applications. MFA Remains Crucial, But Not Invulnerable: Multi-factor authentication (MFA) is a vital security measure, yet sophisticated social engineering tactics now effectively bypass it by targeting session tokens. Strong Defenses Are Imperative: To counter these threats, organizations must implement robust defenses, including hardware-based MFA, client certificates, and FIDO2. Social Engineering and Multi-Factor Authentication Social engineering campaigns pose a significant threat to organizations and businesses as they capitalize on human vulnerabilities by exploiting cognitive biases and weaknesses in security awareness. During a social engineering campaign, a red team operator typically targets a victim\'s username and password. A common mitigation used to address these threats are security measures like multi-factor authentication (MFA). MFA is a security measure that requires users to provide two or more methods of authentication when logging in to an account or accessing a protected resource. This makes it more difficult for unauthorized users to gain access to sensitive information even if they have obtained one of the factors, such as a password. Red team operators have long targeted various methods of obtaining user session tokens with a high degree of success. Once a user has completed MFA and is successfully authenticated, the application typically stores a session token in the user\'s browser to maintain their authenticated state. Stealing this session token is the equivalent of stealing the authenticated session, meaning an adversary would no longer need to perform the MFA challenge. This makes session tokens a valuable target for adversaries and red team operators alike. Techniques for Targeting Tokens Red team operators can target these session tokens using a variety of tools and techniques. The most common tool is Evilginx2, a transparent proxy where a red team operator\'s server acts as an intermediary between the victim and the targeted service. Any HTTP requests made by the victim are captured by the phishing server and then forwarded directly to the intended website. However, before returning the responses to the victim, the server subtly modifies them by replacing any references to the legitimate domain with the phishing domain. This manipulation allows operators to not only capture the victim\'s login credentials from POST requests but also to extract session cookies (tokens) from the server\'s response headers after the victim has completed authentication and MFA prompts. During a red team engagement, a consultant working within a constrained time |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | 00548 021 1007/s10207 2fa |
| Tags | Tool Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.