The first man-in-the-middle attacks (MitM) attacks occurred decades ago. While the concept remains the same, attackers continue evolving the specifics as defenses close off easier methods.
Although general IT security strategies, such as defense-in-depth and cybersecurity monitoring, can deny attacks inside of your organization, MitM attacks occur between the hardened assets and remote users.
Fortunately, once you understand how these attacks work, you can deploy defenses against them.
Let’s take a look at what man-in-the-middle attacks are, and what steps you can take to stay protected.
Defining Man-in-the-Middle Attacks
The term ‘man-in-the-middle’ defines the attack pretty well.
MitM attacks can be inserted in between any two resources. However, most attacks occur in the space between users and servers – often on public wi-fi routers. However, other attack examples include between an application and a database, or between a gateway and a router.
While the user and the server think they are communicating directly, the attacker inserts a device or application between the two. At that point, the attacker has placed a ‘man-in-the-middle’.
Once in the middle, the attacker will impersonate the server when communicating with the user, and impersonate the user when communicating to the server.
If executed well, neither the user nor the resource notices the attacker in the middle intercepting the traffic.
MitM Attack Tactics
Some common forms of MitM include spoofing Address Resolution Protocol (ARP), spoofing Domain Name Service (DNS), packet injections, IP spoofing, or session hijacking.
Fortunately, even basic multi-factor authentication (MFA) can defeat most simple MitM attacks. Additionally, some major website-based services, such as Google and Microsoft, also deploy security to detect and stop common MitM attacks.
Normally, reverse proxies intercept traffic and distribute it to multiple potential servers to balance loads. However, attackers can use the technology to intercept traffic.
Recent attacks not only illustrate the MitM attack, but also ways to bypass specific types of MFA.
Let’s break down a few of the most recent, next.
Classic MitM + MFA Theft
Recently, attackers attempted to penetrate several prominent tech companies by using an MitM text phishing attack which linked to attacker-controlled websites.
When prompted for MFA, the malicious site used Telegram instant message bots to instantly forward credentials and MFA. In this manner, employees could log into their company website, while attackers also authorized their MitM server for future attacks.
In a slight variation, another attacker forwarded the SMS directly to the company resource. But, they then stole the user’s browser cookie that granted resource access. The attackers then added new MFA devices so they could perform authentication without notifying the user.
Remote Access Technology Interception
In another instance, phishing attackers re-routed traffic to their own servers, then combined the noVNC screen sharing system and Firefox in Kiosk mode. This combination fooled users into believing they were logged directly into the correct site.
Users entered what they thought were legitimate app or SMS codes to gain access to ‘their’ resource without any suspicions. However, the attackers captured the credentials, while the resource authenticated the noVNC server instead of the user’s device.
URL Redirect Hijack
OAuth MFA redirects users from their destination website to an authenticator to validate credentials (for example, Azure Active Directory). After authentication, the authenticator provides a ‘token’, and the user’s browser should then return to the destination website with the token.
However, weak OAuth 2.0 implementations can allow attackers to hijack this flow and redirect users from legitimate websites to malicious websites.
Users believe they’re submitting credentials through a trusted website, like Microsoft, for example. Instead, however, they’re leaking their credentials or downloading malware, without realizing it.
Although this attack doesn’t remain an MitM attack, it does use man-in-the-middle to add credibility to phishing attacks.
Man-in-the-Middle Attack Prevention
So, how do you guard against these man-in-the-middle attacks?
Well, basic defenses against MitM attacks include:
- MFA – although one-time passwords can be intercepted, as noted above.
- Require encrypted point-to-point connections between users and resources: virtual public network (VPN) connections, secure gateways, HTTPS connections, etc.
- Strong access point security: robust router login credentials and strong WEP/WAP encryption on Wi-Fi routers.
- Don’t click on links. Instead, attempt to access URLs directly, with bookmarks or by typing in URLs. This avoids look-alike or hidden characters used in URL spoofing.
- Verify devices through Public Key Pair Based Authentication, TSL Handshakes, MAC address whitelisting, or RADIUS certificates.
Other, more specific security approaches, depends heavily on deployed IT infrastructure and typical user behavior. It’s not always easy navigating the endless options to find simple, affordable solutions to block attacks such as MitM.
The good news is that you never need to go it alone.
Blue Bastion, along with our partner division Ideal Integrations, can provide no-obligation consultations to outline reasonable solutions appropriate for your organization’s resources. Just contact us at 412-349-6680, or fill out the form below, and we’ll apply offer expert guidance to secure your systems today.
And, as always, stay vigilant.