Fox-IT, a Dutch provider of cybersecurity and risk mitigation services, fell victim to a "Man-in-the-Middle" (MitM) cyberattack against the company's ClientPortal document exchange web application.
The Fox-IT cyberattack occurred September 19. A hacker accessed the DNS records for Fox-IT's website domain at its third-party domain registrar. Then, the hacker modified the DNS record for one server to intercept and forward traffic to the original server that belonged to Fox-IT, the company said in a prepared statement.
With the MitM attack, the hacker was able to redirect inbound traffic to ClientPortal and emails going to the Fox-IT website domain for a short period of time, the company said. However, the cyberattacker was unable to access Fox-IT's external or internal systems or gain system-level access to ClientPortal.
Fox-IT limited the total effective MitM attack time to 10 hours and 24 minutes, the company indicated. The company has contacted law enforcement about the MitM attack, and a criminal investigation is underway.
What Is an MitM Attack?
Cybercriminals use MitM attacks to gain access to information that two parties are trying to send to one another.
During an MitM attack, a cybercriminal will insert himself or herself into a conversation between two parties and impersonate both parties. Next, the cyberattacker will attempt to intercept, send and receive data without either parties' knowledge.
MitM attacks often enable hackers to obtain unauthorized access to victims' funds or login credentials. As such, the frequency of MitM attacks may increase in the foreseeable future.
Lessons Learned from the Fox-IT MitM Attack
The Fox-IT MitM attack offers many lessons for MSSPs, and Fox-IT provided the following recommendations to ensure organizations can quickly identify and mitigate MitM attacks:
- Evaluate your DNS provider closely. Select a DNS provider that requires a manual process to implement changes. Or, if frequent DNS changes are necessary, it may be beneficial to choose a DNS provider that requires two-factor authentication.
- Update your system passwords regularly. Ensure all system access passwords are reviewed and updated regularly.
- Verify certificates. Use certificate transparency monitoring to detect, track and respond to fraudulent certificates.
- Explore full packet capture capabilities. Leverage full packet capture capabilities with retention in crucial points of an infrastructure.
- Notify law enforcement. Inform law enforcement at the first sign of an MitM attack.
- Learn about an MitM attack. Understand an MitM attack before taking steps to mitigate it.
Also, MSSPs that deploy a layered approach to cybersecurity and prioritize cyberattack prevention, detection and response may be better equipped than others to limit the impact of MitM attacks, Fox-IT stated.
"It is the combination of these that ultimately determines your overall resilience and cybersecurity stance," the company noted.