Mechanism and Prevention of MitM Attack

What is MitM Attack "Mechanism and Prevention of MitM Attack"

A Man in the Middle (MitM) attack is one in which an attacker secretly intercepts communications between two parties in order to eavesdrop or modify moving traffic. Attackers can use MitM attacks to steal login credentials or personal information, spy on victims, disrupt communication, or destroy data.

"MitM attacks are, after all, a strategic vehicle," said Jeky Tredy, technology strategist at CrowdStrike. 

MitM can be prevented with encryption, but this attack is very difficult to detect because an attacker will either divert traffic to a phishing site designed to appear legitimate, or obtain or log the traffic and then deliver it to its intended destination.

Mechanism of MitM attack

MitM attacks are an older form of cyberattacks. Computer scientists have been working on ways to prevent threat actors from interfering with or eavesdropping on communications since the early 1980s. 

MitM attacks consist of observing or manipulating traffic between two parties. This can be done by interfering with legitimate networks or by creating fake networks controlled by attackers. The hacked traffic then removes encryption to steal or alter the traffic or forward it to the attacker's desired destination (such as a phishing login site). Attacks can be difficult to spot because attackers can log or modify intercepted traffic and then silently observe or re-encrypt it.

Johannes Ulrich, head of research at SANS Technology Institute (TI), said: "MitM attacks are attacks in which an attacker is actually a victim and a legitimate host to which the victim is trying to connect. They can either passively eavesdrop on a connection or actually intercept the connection. It terminates and establishes a new connection to the destination."

MitM entails a wide variety of techniques and potential outcomes, depending on the target and purpose. For example, in SSL stripping, an attacker establishes an HTTPS connection between themselves and the server, but connects to the user via insecure HTTP, so information is transmitted in plaintext without encryption. Although the Evil Twin attack pretends to be a normal Wi-Fi access point (AP), a hacker can fully control it to monitor, collect and manipulate any information a user transmits.

"This type of attack can be used for espionage or economic gain or simply for disruption," Tredy said. 

In the case of online banking, an attacker can see a user's remittance and change the destination account number or remittance amount. Threat actors can use MitM attacks to collect personal information or login credentials. If an attacker detects that an application is being downloaded or updated, it can send a hacked update that installs malware instead of the normal one. 

The EvilGrade (EG) exploit kit was developed for insecure updates. Mobile devices are particularly vulnerable because they often fail to encrypt their traffic.

"Such an attack can be easily automated," explains Ulrich. "There are tools that automate it, find the password, write it to a file as soon as it is found, or wait for a specific request, such as a download, and then redirect the malicious traffic." 

These Wi-Fi or physical network attacks require close proximity to the victim or target network, but it is also possible to remotely hack the routing protocol. "This is a more difficult and sophisticated attack method," says Ulrich. "The attacker can introduce himself as the person who manages these IPs on the Internet, pass these IP addresses on to the attacker, and then launch a MitM attack again." 

"You can also change the DNS settings of a specific domain (DNS falsification). So if you visit a specific website, you are actually connecting to the wrong IP address provided by the attacker, and the attacker can launch a MitM attack again." added.

Although most attacks are done over wired networks or Wi-Fi, it is possible to perform MitM attacks with fake base stations. Law enforcement agencies in the United States, Canada and the United Kingdom have been found to use fake base stations called Stingrays to collect large amounts of information. Stingray devices are also available for purchase on the Dark Web.

Researchers at the Technical University of Berlin (TUB), ETH Zurich, and SINTEF Digital in Norway (DiN) have recently discovered that attackers can use MitM in the Authentication and Key Agreement (AKA) protocol that is being used in 3G and 4G and will be used in the rollout of 5G wireless technology. A flaw was discovered that allowed the attack to be carried out. 

MitM attacks are widespread

Although not as common as ransomware or phishing attacks, MitM attacks have always been there. According to IBM X-Force's 2018 Threat Intelligence Index (TII), an attacker attempted to perform a MitM attack in 35% of exploit activity, but the specific figures are difficult to calculate.

"These reports suggest that MitM attacks are not surprisingly common," said Alex Hincliffe, threat intelligence analyst at Unit 42 at Palo Alto Networks (PAN). It can also be achieved using malware installed on the system. "If there is a simpler way to carry out an attack, the enemy will take the easy route." A 

recent striking example is that a group of GRU agents in Russia used a Wi-Fi spoofing device to launch the Organization for the In an attempt to break into the offices of the Prohibition of Chemical Weapons,

the potential threat of some MitM attacks has decreased with the proliferation of HTTPS and the activation of in-browser alerts. In 2017, the Electronic Frontier Foundation (EFF) reported that half of all internet traffic More than 90% of traffic is encrypted now, Google said in some countries, and major browsers such as Chrome and Firefox also warn users about whether they are at risk of MitM attacks. 

"The increase in SSL adoption and the introduction of modern browsers such as Google Chrome have reduced the number of MitM attacks on public Wi-Fi hotspots," said Tredy of CrowdStrike. "Currently, very sophisticated attacks often use the MitM principle," Tredy said. "An example observed in a recent open source report is that the SWIFT network of a large financial organization uses the MitM technique to secretly transfer funds into the accounts of cybercriminals," Tredy said. There was malware that provided fake account balances.”

But the threat still exists. The Retefe banking Trojan, for example, redirects the banking domain's traffic through an attacker-controlled server to decrypt and manipulate the request, then re-encrypts the data and sends it to the bank. A flaw recently discovered in the TLS protocol, including the latest version 1.3, allows attackers to block RSA key exchange and intercept data.

How to prevent MitM attacks

Sometimes flaws are found, but encryption protocols such as TLS are the best way to prevent MitM attacks. The latest version of TLS became an official standard in August 2018. There are also newer protocols like SSH or Google's QUIC.

For end-user training, employees should, if possible, avoid using open public Wi-Fi in public places as it is easier to spoof than a base station connection and follow browser warnings that the site or connection may not be working. Use a VPN to support secure connections. 

"The best practice is to include multi-factor authentication to maximize network control and visibility and isolate the network," said Hincliffe of Palo Alto.

Preventing an attack after it has occurred is better than trying to fix it, especially when it comes to these elusive attacks. "These attacks are inherently cunning and difficult for most traditional security devices to detect in the first place," said CrowdStrike's Tredy.

If quantum cryptography is commercially sold, it will be possible to fundamentally block MitM attacks based on the theory that quantum data cannot be copied. 

The Next Area of ​​MitM Attacks, the Internet of Things

Analysts predict that the number of Internet-connected devices will grow to tens of billions over the next five years. Unfortunately, the growth of IoT could lead to an increase in MitM attacks as many devices lack security features. We have already reported that MitM-style attacks can be carried out on IoT devices, sending bogus information back to organizations or sending false commands on their own.

"IoT devices tend to be more vulnerable to attacks because they don't implement many standard mitigations against MitM attacks," Ulrich said. "Many IoT devices have not yet implemented TLS or implemented older versions that aren't as robust as newer versions." said.

A new study by Ponemon Labs and OpenSky found that 61% of security practitioners in the United States said they were unable to control the proliferation of IoT and IIoT devices within their enterprises, and 60% said they would like to prevent IoT and IIoT-related security exploits and data breaches. said it couldn't

"There are a lot of mobile applications and IoT devices, but the problem is that there is no security," warns Ulrich. "Some of these applications will ignore these errors and still connect, which defeats the purpose of TLS."