One lesser-known but dangerous malady is known as the man-in-the-browser attack (MITB). This attack can result in the loss of personal, sensitive information at the very least and could escalate to include major financial theft and more.  This article will detail the MITB attack which appears in the MITRE ATT&CK matrix, and will explore what MITB is, a little about how it works, the different approaches to MITB, how to mitigate MITB and problems associated with detecting MITB. 

What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity. To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for the cybersecurity product/service community, the private sector and government use. 

A little about man-in-the-browser

If you are thinking MITB sounds like the infamous man-in-the-middle attack (MITM), you are on the right track. As a matter of fact, MITB takes the same approach to attacks that MITM takes.  In a MITB attack, attackers take advantage of both existing security vulnerabilities and the browser’s inbuilt functionality to modify behavior, intercept information and change content. The end result of this can range from eavesdropping to full on data theft that causes financial losses. MITB attacks are typically involved with financial fraud. A classic example is attackers gaining sensitive online banking login credentials, account numbers and so on.

How does the man-in-the-browser attack work?

While there are different ways to carry out a MITB attack, the origin of the attack is the same throughout. MITB attacks begin with a system that is pre-infected with malware, typically a Trojan, which may infect an individual application or OS. This Trojan installs software (such as an extension) onto the target browser. Attacker traffic is masked by user traffic, thereby fooling even the sharpest user into thinking that nothing out of the ordinary is going on. As mentioned above, there are two different approaches to MITB. Below is a brief summary of each.

Browser pivoting

This approach to MITB requires both a high-integrity process and the SeDebugPrivilege to execute. In browser pivoting, malware injects an HTTP proxy server into the user’s compromised browser. This proxy server is available to the attacker and the user’s browser fulfills all requests coming through it, during which time how the user gets to the site is unaffected. Browser pivoting is literally the attacker browser pivoting through the user’s browser. According to MITRE ATT&CK, this approach is epitomized by Cobalt Strike, a penetration testing and threat emulation tool. Despite being benign in origin, Cobalt Strike is used by threat actors, which backs up the old cybersecurity adage that defense is offenses child. Cobalt Strike has put forward three benefits to using this approach to MITB:

Site-agnostic Hard to detect Browser pivot is very visual; it’s easy to demonstrate risk and show what threat actors could do

Web injects

The second approach to MITB is known as web injects, or to inject HTML or JavaScript into the user’s compromised browser. Web injects change what the users see, from basic communication interception to removal of security alerts warning the user.  These packages, or modules, are injected by Trojans that have infected the compromised user’s system. Examples of Trojans that use this approach include Dridex, TrickBot and Zeus.

How to mitigate man-in-the-browser

MITRE has forwarded some recommendations for mitigating MITB attacks.

User account management: Browser pivoting cannot be successfully launched without taking advantage of a high-integrity process. To account for this limitation, privilege escalation, restricting user permissions and bypass user account control opportunities need to be addressed to minimize opportunities for MITB attacks User training: Organization users should be trained in how to handle MITB attacks. Since there is normally no indication from the user’s perspective that their browser is compromised, training users to simply close their browser after using it will sever the connection and stop an MITB attack

How to detect man-in-the-browser attacks

One of the most difficult things about dealing with MITB attacks is that they are difficult to detect. Normal user traffic masks attacker traffic, MITB creates no new processes and malicious logins are difficult to discern from normal user logins. MITRE suggests monitoring browser applications for process injections.

Conclusion

Man-in-the-browser is a relatively new attack technique that is often involved in financial fraud. They take advantage of security vulnerabilities, nothing new for attack techniques, but the worst part is they also use an inherent web browser functionality which cannot be modified by the user.  With proper user account management and user training, organizations can greatly decrease the chances that their users will become another statistic of an MITB attack.   

Sources

Man in the Browser, MITRE Cobalt Strike, Cobalt Strike Man-in-the-Browser Attack (MITB), The Secret Security Wiki