Man-in-the-Middle (MITM or MitM) attacks are about to become famous, in the way that ransomware, Petya, Distributed Denial of Service (DDoS), and credit-card skimmers have become famous.
MITM attacks go back thousands of years: A merchant writes a parchment offering to buy spices, and hands it to a courier to deliver to his supplier in a far-away land. The local courier hands the parchment to another courier, who in turns hands it to another courier, and so-on, until the final courier gives the parchment to the supplier. Unbeknownst to anyone, however, one of the couriers was a swindler who might change the parchment to set up a fraud, or who might sell details of the merchant’s purchase offer to a competitor, who could then negotiate a better deal.
In modern times, MITM takes advantage of a weakness in the use of cryptography: Are you completely sure who you’re set up that encrypted end-to-end message session with? Perhaps it’s your bank… or perhaps it’s a scammer, who to you looks like your bank – but to your bank, looks like you. Everyone thinks that it’s a secure communications link, but the man-in-the-middle sees everything, and might be able to change things too.
According to Wikipedia, “In cryptography and computer security, a man-in-the-middle attack (MITM; also Janus attack) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.”
We haven’t heard much about MITM attacks, because, quite frankly, they’ve not been in the news associated with breaches. That changed recently, when Fox-IT, a cybersecurity firm in Holland, was nailed with one. Writing on their blog on Dec. 14, 2017, the company said:
In the early morning of September 19 2017, an attacker accessed the DNS records for the Fox-IT.com domain at our third party domain registrar. The attacker initially modified a DNS record for one particular server to point to a server in their possession and to intercept and forward the traffic to the original server that belongs to Fox-IT. This type of attack is called a Man-in-the-Middle (MitM) attack. The attack was specifically aimed at ClientPortal, Fox-IT’s document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker’s goal was to carry out a sustained MitM attack.
The company pointed to several weaknesses in their security setup that allowed the attack to succeed: The DNS provider’s password hadn’t been changed since 2013; two-factor authentication (2FA) wasn’t used or even supported by the DNS provider; and heavier-than-usual scans from the Internet, while detected by Fox-IT, weren’t flagged for investigation or even extra vigilance.
How To Prevent MITM Attacks
After a timeline discussion and more technical analysis, Fox-IT offered suggestions on how to handle such incidents, and I quote:
- Choose a DNS provider that doesn’t allow changes through a control panel but requires a more manual process, considering that name servers are very stable and hardly ever change. If you do require more frequent changes, use 2FA.
- Ensure that all system access passwords are reviewed regularly and changed, even those which are used rarely.
- Deploy certificate transparency monitoring in order to detect, track and respond to fraudulent certificates.
- Deploy full packet capture capabilities with good retention in crucial points of your infrastructure, such as the DMZ and border gateways.
- Always inform Law Enforcement at an early stage, so that they can help you with your investigations, as we did in our case.
- Make it a management decision to first understand an attack before taking specific actions to mitigate it. This may include letting an attack continue for a short period of time. We consciously made that decision.
It’s a shame about Fox-IT’s breach, but the company responded correctly and promptly once the breach was detected. This is the first serious instance of a successful MITM attack I’ve heard about in some time – but probably won’t be the last.