MITMA’s stands for Man in The Middle Attacks, and is the term used to describe one the oldest but still exceptionally popular forms of attack. In this attack, a hacker intercepts an unsecure wireless connection, and places themselves between two computers/devices that are in communication with one another. Once the hacker is on the network, the attacker then impersonates both sides to steal information and sensitive data, to hijack emails, SSL hijack, eavesdrop into conversations.
In this type of attack, not only can a man in the middle collect and snoop into private conversations and communication, steal data including credentials and passwords, but they can also modify the traffic sent between the two parties to sabotage information.
‘Man-in-the-Middle attacks are incredibly common primarily because it’s an easy attack vector. According to IBM’s X-Force Threat Intelligence Index, 35% of exploitation activity involves Man-in-the-Middle Attacks. One of the prime reasons that MITM have become such a common attack vector is that Wi-Fi is a vulnerable technology.’- IBM
If the hacker has done their research, often through social engineering to learn about the two devices/targets involved, it can be exceedingly hard to detect such an attack. Once the attack is in place, links that look genuine can be sent to reroute victims to malicious sites instead. Once on such sites, the victim can fall prey to phishing campaigns, which can lead to larger attacks, including ransomware attacks.
“MitM attacks are attacks where the attacker is actually sitting between the victim and a legitimate host the victim is trying to connect to. So, they’re either passively listening in on the connection or they’re actually intercepting the connection, terminating it and setting up a new connection to the destination” – Johannes Ullrich, dean of research at SANS Technology Institute.
MITMA Attacks in the Finance Sector
MITMA can affect both businesses and personal devices alike. So, say that you wanted to make a bank transfer from your phone. If a man in the middle attack takes place, then the attack would be able to see the transfer being made and, in response, change the account number so that the destination differed as well as the amount transferred. Not only could numbers be altered, but the bad actor could also harvest the data, including login credential and use or sell those, and if anything was being downloaded or updated then a compromised version filled with malware could also be injected into the system.
There have been many MITMA’s reported within the financial sector, particularly within banking Apps. According to TrendMicro ‘The security flaw lies in the verification process of certificates used by the applications’ and flaws have been seen in apps ‘including those from Bank of America, Meezan Bank, Smile Bank, and HSBC, and VPN app TunnelBear’.
The Equifax data breach was a notable attack involving a man in the middle attack in which communication was intercepted by a malicious third party who launched the attack that the users of Equifax windows to enter their data, including personal log in details and credentials.
But how did the attackers get into the network? Well, Equifax used tools purchased via third parties that needed to be renewed on an annual basis. They had, however, failed to renew the certificate that would help search for data exfiltration in their network. Infact, they had forgotten to renew this for the greater part of ten months. This meant that for ten months the traffic that had been encrypted was not being inspected, giving attacks ample time to insert themselves, steal data, commit fraud and obfuscate their activity. It was only once the company realised their mistake with the renewal, that the breach became evident.
‘Considering the Equifax attack scenario, it could have been easily avoided if there was full digital footprint monitoring including their third-party and supplier using external web application scanning/patching and third-party risk monitoring. Such solutions can help in pre-empting future breaches by detecting such easily forgotten enablers of compromise. Post a successful MITMA, having a continuous dark-web monitoring capability is extremely important to limit its implications by detecting sensitive information that could have successfully been leaked and made it into any of the dark web forums. MITMA’s are here to stay simply due to their effectiveness and ease of deployment, especially with the recent cloud adoption and continuous digitisation having tens of millions of connections going to the cloud and IoT, accompanied with the lack of having adequate security controls in place for mitigating different forms of MITMA.’ – Islam Rashad, Cyber Security Solutions Presales Consultant, SecurityHQ
5 Recommendations to Reduce MITMA’s
In the case of MITMA’s attacks, focus on prevention is often a better strategy than trying to clean up after an attack. MITMA’s are hard to detect and even harder to remediate. Follow these 5 steps to increase your security posture.
- Ensure that encryption protocols are used within business accounts to protect the privacy of all devices, prevent attacks such as ransomware and identify theft, and to know that if devices are lost or stolen then the data is encrypted to reduce infiltration.
- Do not use public or open wi-fi, only use secure networks. If you are on an open wi-fi network, it is very easy for bad actors to enter the same network and view your activities. What adds an additional level of risk is if you are accessing work/business documents and emails via an unsecure network. This makes it easier for MITMA’s to take place and hijack communications.
- Use VPNs to secure connections. Once on a secure Wi-Fi connection, secure your network by using a VPN which will hide your private information, give you the ability to use Geo-blocking services, prevent data theft and bandwidth throttling.
- Use multifactor authentications for all accounts, both work and private. Multifactor authentication must combine the use of both known elements of the user, so for instance the user will know their username/email and password, combined with a device of the user, so a text can be sent to the persons mobile device, and then an additional level of protection can be included using biometrics such as face recognition, fingerprint, or retina scan. Sometimes, if an account is especially valuable, the access can only be granted at a specific place or time. But for everyday accounts, multifactor by combing two or more of the above factors will suffice.
- Ensure that you have the right network security protocols in place via your MSSP. And that you are using the right Endpoint Protection and MDR, Managed Detection and Response to detect sneaky and often devastating attacks.
Most importantly, if you suspect any rouge activity, report it to your security team and if suspect suspicious communication from otherwise genuine sources, reach out to them to make sure they have sent what you have received and vice versa.
SecurityHQ prides itself on its global reputation as an advanced Managed Security Service Provider, delivering superior engineering-led solutions to clients around the world. By combining dedicated security experts, cutting-edge technology and processes, clients receive an enterprise grade experience that ensures that all IT virtual assets, cloud, and traditional infrastructures, are protected.
Eleanor Barlow (Content Manager, SecurityHQ)
For media enquiries please contact Eleanor Barlow, +44-(0)20-332-706-99, firstname.lastname@example.org