DoubleDirect is the name of a new Man-in-the-Middle (MitM) attack discovered by security researchers that is targeting mobile devices running either iOS or Android and potentially Mac OS X systems.
The DoubleDirect MitM attack allows attackers to hijack the victim’s traffic of major websites such as Facebook, Google and Twitter to a device controlled by the attacker.
As explained by security experts at mobile security firm Zimperium, once the attackers has redirected the victim’s traffic, it could be able to steal victims’ sensitive data, including personal data and login credentials, or serve malicious code on the targeted device.
In the blog post recently published by Zimperium the experts revealed that threat actors worldwide are already exploiting the DoubleDirect technique across 31 countries. Bad actors redirected users of several IT companies, including Facebook, Google, Hotmail, Live.com and Twitter.
The DoubleDirect technique exploits the ICMP (Internet Control Message Protocol) redirect packets in order to change the routing tables of a host used by routers to provide information on the best path to the destination.
“With the detection of DoubleDirect in the wild we understood that the attackers are using previously unknown implementation to achieve full-duplex MITMs using ICMP Redirect” states the post.
“An attacker can also use ICMP Redirect packets to alter the routing tables on the victim host, causing the traffic to flow via an arbitrary network path for a particular IP,” Zimperium warned. “As a result, the attacker can launch a MitM attack, redirecting the victim’s traffic to his device.“
“Once redirected, the attacker can compromise the mobile device by chaining the attack with an additional Client Side vulnerability (e.g.: browser vulnerability), and in turn, provide an attack with access to the corporate network.“
“We have investigated the attacks and also created a POC tool to prove that it is possible to perform full-duplex ICMP Redirect attacks. ICMP Redirect attacks are not easy to emulate because the attacker must know beforehand which IP address the victim has accessed”
“Zimperium is releasing this information at this time to increase awareness as some operating system vendors have yet to implement protection at this point from ICMP Redirect attacks as there are attacks in-the-wild,” the post reads.