Here’s an endpoint you don’t often think about: your car. But if it’s Wi-Fi enabled, as many new models are, that means it resides at the end point of a network connection and can communicate on that network, making it an endpoint.
This new element of the overall attack surface has not appeared without threat actors taking notice, either. In March of 2024, researchers demonstrated a Man-in-the-Middle (MitM) phishing attack that allowed them to compromise Tesla accounts, enabling them to unlock and even start the vehicles by registering a new ‘Phone key’ that could be used to access the Tesla. While it was responsibly disclosed and no real-world attacks have been documented, the fact that it was possible shone a fresh light on the staying power of MitM attacks.
What Are Man-in-the-Middle Attacks?
Also known as “adversary-in-the-middle” or “manipulator-in-the-middle” attacks, this high-tech form of eavesdropping involves a threat actor getting between you and the party to which you’re attempting to send your data or information. This kind of attack typically occurs when a user is connected to public or unprotected Wi-Fi — highlighting the importance of VPNs, strong password hygiene, and identity and access management (IAM) best practices like multi-factor authentication (MFA) as, once a cybercriminal gains access to the user, they can deploy tools that will capture credentials, launch malware, or obstruct data.
Information obtained during an attack could be used for many purposes, including identity theft, unapproved fund transfers, or an illicit password change. Additionally, it can be used to gain a foothold inside a secured perimeter during the infiltration stage of an advanced persistent threat (APT) assault.
Common Types of Man-in-the-Middle Attacks
Session Hijacking
With this attack, the hacker hijacks a session between the client and server. The hacker can use this attack to eavesdrop on communications or spoof the identity of the client completely, allowing them to gain access to sensitive data or manipulate transmitted content as desired. For example, in 2015 cybercriminals used man-in-the-middle attacks to steal six million Euros from companies across Europe. The hackers used the technique to monitor communications for payment requests, and then used their access to reroute payments to bank accounts under their control.
Wi-Fi Eavesdropping
With this attack, a threat actor can intercept and monitor wireless network traffic by setting up a fake Wi-Fi access point that mimics a legitimate network or by using tools to eavesdrop on existing network traffic. This type of attack is common on unsecured or poorly secured public Wi-Fi networks. By taking advantage of weak or absent encryption, the attacker can capture sensitive information, such as login credentials and financial data, transmitted between devices and the network.
DNS Spoofing
Also known as DNS cache poisoning, this type of MitM attack exploits vulnerabilities in the Domain Name System (DNS) , which translates domain names into IP addresses. During a DNS spoofing attack, the threat actor injects false information into the DNS cache of a DNS resolver or server, causing it to return incorrect IP addresses for targeted domain names. This manipulation allows them to intercept traffic and redirect users from legitimate websites to malicious ones.
ARP Cache Poisoning
The Address Resolution Protocol (ARP) is a crucial network protocol that maps an internet layer address, such as an IP address, to a link layer address, like a Media Access Control (MAC) address. ARP is vital for translating IP addresses to MAC addresses within a local network, ensuring accurate data delivery. In an ARP attack, a threat actor sends fraudulent ARP messages, deceiving the victim’s computer into thinking the malicious machine is the legitimate network gateway. As a result, the victim’s device routes all its network traffic through the attacker’s system instead of the actual gateway, enabling the attacker to intercept, monitor, and capture sensitive information like credentials.
Stages of a Man-in-the-Middle Attack
Like most advanced cyber attacks, a MitM attack unfolds over several distinct stages, each involving specific techniques and strategies designed to compromise data integrity and confidentiality. Understanding these stages can help you identify and mitigate MitM threats.
1. Reconnaissance and target identification
In the initial stage of a man-in-the-middle attack, threat actors gather critical information about the target network, organisation, or user. This process often involves identifying network infrastructure, communication channels used by employees, and any existing vulnerabilities that have not yet been addressed. Attackers employ tools and techniques like network scanning and social engineering to collect data on IP addresses, network devices, and communication protocols. During this phase, they may also pinpoint specific users or systems within the environment to target.
2. Positioning and network infiltration
After gathering sufficient information, the threat actor moves to the positioning stage, where they establish a foothold within the network. This can be accomplished through various methods, such as setting up rogue access points in public areas to intercept Wi-Fi traffic or exploiting weaknesses in network security protocols. For example, in a public Wi-Fi environment, a threat actor might create a malicious hotspot with a name like that of a legitimate network, tricking users into connecting to it. Alternatively, they may employ ARP spoofing or DNS spoofing techniques to redirect traffic through their own systems.
3. Interception and eavesdropping
Once the threat actor is embedded within the network, the next step is interception, where they start capturing and monitoring the data exchanged between the target network and other parties. This phase involves intercepting network traffic and analyzing the data packets in transit. Depending on the encryption and security protocols in place, the attacker may either read the intercepted data directly or employ various techniques and tools to decrypt it. In some instances, the attacker might inject malicious content into the data stream to exploit vulnerabilities in the target’s systems or applications.
4. Data manipulation and theft
After intercepting communications between network and user, the threat actor may attempt to manipulate the data found in those communications by altering the intercepted messages or injecting false information into the communication stream, such as modifying financial transactions to divert funds. In addition to this manipulation, threat actors may be able to steal sensitive information like login credential or confidential business information, which they will later use in other attacks.
5. Evasion and Persistence
Finally, the threat actor works to avoid detection and maintain access to the network for future exploitation and attack. This can involve deleting logs, disguising actions and movements, or installing backdoors that allow them to re-enter the network whenever they wish, even if the initial vulnerability or technique used to gain initial access is remediated.
How To Prevent Man-in-the-Middle Attacks with a Security Operations Approach
One line of defense is never enough, especially since MitM attacks can have different targets, from email accounts to credentials to even sensitive data. By taking an operations approach, an organisation can cut every avenue a threat actor has as they try to launch or escalate this attack by ensuring every part of the attack surface is defended.
Network segmentation
By segmenting your network, you limit the spread of potential attacks. By breaking sensitive data and systems into multiple isolated segments, you reduce your attack surface and help prevent unauthorized access to your network, as well as limit lateral movement.
Network Encryption
This is table-stakes protection against MitM attacks. Encrypting data in transit ensures that, even if an attacker intercepts the communication, they cannot read or alter the data. Implementing protocols like Transport Layer Security (TLS) for web traffic and Secure Sockets Layer (SSL) certificates for email communication helps better protect data as it moves across your network.
Multi-Factor Authentication (MFA)
MFA is an access control that adds a layer of security to application logins and user access by asking users to verify their identity beyond the typical username and password combination, and as the name suggests, this control involves multiple forms of authentication. MFA plays a critical role in identity and access security by pausing network access until it can be verified. If an attacker tries to or is able to obtain credentials through a MitM attack, they will not be able to successfully use those credentials later.
Zero Trust
This strategy focuses on the user, not the perimeter, and limits all access unless it can be verified. By eliminating implicit user trust, zero trust holds every user to the same level of scrutiny when trying to access a system, program, or asset. By adding this extra level of scrutiny, threat actors would be, in practice, unable to make lateral or escalating moves within a network if granted credentials. While this doesn’t stop credential-based MitM attacks at the start, it can prevent them from transforming into a more significant incident.
Security awareness training
Preparing your employees to recognise and neutralise social engineering attacks and human error is crucial to preventing MitM attacks, as attacks like phishing can often serve as a precursor to a MitM attack. Additionally, educating users on proper password hygiene and safe browsing can help them learn how to verify the legitimacy of communications, and showing them how to use VPNs when working remotely can help them avoid opening their organisation up to network intrusions.
24×7 Monitoring, detection, and response
Arctic Wolf® Managed Detection and Response (MDR) provides 24×7 monitoring of your networks, endpoint, cloud, and identity sources to help you detect, respond, and recover from modern cyber threats like MitM attacks. By utilising this kind of industry-leading monitoring and response platform, your organization is able to recognize key IOCs involved with MitM attacks and stop the threats before they escalate to a full-blown breach.
Discover how Arctic Wolf® Managed Detection and Response helps global organizations quickly detect, respond, and recover from modern cyber attacks.
Access exclusive insights from our elite team of security researchers into attack types, root causes, top vulnerabilities, TTPs, and more in the 2024 Arctic Wolf Labs Threats Report.
