Source: davinciforensics.co.za – Author: cyberpro.
MITM (man-in-the-middle) cyber attacks is a generic term for a cyber threat involving a criminal that positions themselves in the conversation between an application and a user. The goal is to either imitate one of the participating parties or simply to eavesdrop to get information. MITM thieves can then access such pertinent information as credit card numbers, login credentials, and details on an account.
MITM threat actors typically target any website that requires a login such as e-commerce websites, financial institutions or SaaS companies. Once the data is accessed the criminals can use it to accomplish password changes, identity theft, and unapproved funds transfers. MITM can also be used as a preliminary access point to infiltrate for an APT (advanced persistent threat).
Two Stages of MITM
The first stage of MITM is “interception” and this is accomplished by accessing the user traffic via the attacker’s network prior to communication reaching the final destination. The simplest way that they use is what is called a “passive attack” using malicious WiFi hotspots that are for public use. The hotspots are typically not password protected and once a user accesses it the cyber criminal remains online to gain full visibility of the user’s data exchange. Other methods involve IP spoofing where the criminal has disguised themselves as an application by changing the IP address packet headers which sends the user to a bogus website. Also used is ARP spoofing that links the MAC address of the attacker with the IP address of a real user on a LAN (local area network) by using fake ARP messages that sends the data from the user to the criminal’s host IP address. DNS spoofing (aka DNS cache poisoning) is also commonly used which involves getting into the DNS server and changing the address record of the website. When a user tries to access they are sent to the site of the attacker.
Decryption is the next stage of these attacks. This occurs after the interception of the communication. Something to note is that any SSL traffic that is two-way can be decrypted without notifying the application or user. There are a few ways to accomplish decryption: HTTPS spoofing will send a false certificate to the target browser when the first request to access the secure site is made.
This will hold a digital thumbprint of the compromised app that is verified by the browser that uses a list of sites that are trusted. The threat actor can then access all data that is entered prior to it being passed to the app. Another method used is called SSL Beast that targets a vulnerability in a TLS version 1.0 in SSL. In this case the target’s computer is sent a malicious JavaScript that captures cookies sent by many web applications. It can then decrypt authentication tokens and cookies. SSL hijacking happens when a cyber criminal passes fake authentication keys to the application and the user in the initial TCP handshake.
This creates a false secure connection. This differs from SSL stripping which downgrades the HTTPS (secure) to a standard non-secure HTTP connection. The threat actor can then send an unencrypted version of the app site which keeping his own session secure.
“DaVinci Cybersecurity continues our efforts to inform, educate and protect our clients from the dangers of cyber attacks. The world of cybersecurity is ever changing and we must remain vigilant to keep up with and overtake the methods used by these criminals.”
– Sharon Knowles, CEO DaVinci Cybersecurity
Source:
Original Post url: https://davinciforensics.co.za/cybersecurity/man-in-the-middle-cyber-attacks/
Category & Tags: Cyber Security,cyber security,cybersecurity,hacking,man in the middle – Cyber Security,cyber security,cybersecurity,hacking,man in the middle
Views: 2
