The cybersecurity firm Fox-IT, one of the top security companies currently owned by the UK giant NCC Group, disclosed a security breach that affected its infrastructure. According to the firm, on September 19 an unknown attacker carried out a Man-in-the-Middle (MitM) attack and spied on a limited number of customers.
“It’s become a widely accepted mantra that experiencing a cyber breach is a question of ‘when’ and not ‘if’. For Fox-IT ‘if’ became ‘when’ on Tuesday, September 19 2017, when we fell victim to a “Man-in-the-Middle” attack.” reads the security breach disclosure published by the company.
According to Fox-IT, the attackers hijacked the company’s domain name for 10 hours and 24 minutes and obtained an SSL certificate in Fox-IT’s name.
The hackers redirected the domain to a private VPS server under their control in order to power a MitM attack. In this position the attackers were able to receive traffic intended for the Fox-IT domain, using the SSL certificate to read the content of HTTPS connections, and then forward the traffic to the actual Fox-IT server.
According to Fox-IT, the attackers only targeted ClientPortal website by intercepting traffic for it. According to Fox-IT, hackers accessed any information sent to the Client portal, including login attempts and credentials, and files.
“the attacker was able to redirect inbound traffic to ClientPortal and emails going to the fox-it.com domain for a short period of time. At no stage did they have access to any external or internal Fox-IT system, or indeed system level access to our ClientPortal.” continues the breach notification.
Fox-IT promptly detected the domain hijacking and MitM attack after just 5 hours and disabled 2FA login process as a mitigation measure. The hackers only intercepted credentials for 9 users and a total of 12 files, none of the files were marked as “secret,” and did not contain sensitive information.
In response to the incident, Fox-IT notified affected customers and reset intercepted passwords, of course, it notified Dutch law enforcement of the incident.
Below is a detailed timeline of the cyber attack:
|Sept 16 2017||First reconnaissance activities against our infrastructure that we believe are attributable to the attacker. These included regular port scans, vulnerability scans and other scanning activities.|
|Sept 19 2017, 00:38||The attacker changed DNS records for fox-it.com domain at a third party provider.|
|Sept 19 2017, 02:02||Latest moment in time that we have been able to determine that clientportal.fox-it.com still pointed to our legitimate ClientPortal server. This means that traffic destined for the ClientPortal was not being intercepted yet.|
|Sept 19 2017, 02:05-02:15||Maximum 10-minute time window during which the attacker temporarily rerouted and intercepted Fox-IT email for the specific purpose of proving that they owned our domain in the process of fraudulently registering an SSL certificate for our ClientPortal.|
|Sept 19 2017, 02:21||The actual MitM against our ClientPortal starts. At this point, the fraudulent SSL certificate for ClientPortal was in place and the IP DNS record for clientportal.fox-it.com was changed to point to a VPS provider abroad.|
|Sept 19 2017, 07:25||We determined that our name servers for the fox-it.com domain had been redirected and that this change was not authorized. We changed the DNS settings back to our own name servers and changed the password to the account at our domain registrar. This change will have taken time to have full effect, due to caching and the distributed nature of the domain name system.|
|Sept 19 2017, 12:45||We disabled the
second factorauthentication for our ClientPortal login authentication system (text messages), effectively preventing users of ClientPortal from successfully logging in and having their traffic intercepted. Other than that, we kept ClientPortal functional in order not to disclose to the attacker that we knew what they were doing, and to give ourselves more time to investigate. At this point, the MitM against ClientPortal was still active technically, but would no longer receive traffic to intercept as users would not be able to perform
two factorauthentication and
|Sept 19 – Sept 20 2017||A full investigation into the incident was undertaken, along with notification of all clients that had files intercepted and the relevant authorities, including the Dutch Data Protection Authority. A police investigation was launched and is still ongoing. Based on the outcome of our investigation, we understood the scope of the incident, we knew that the attack was fully countered and we were prepared to re-enable two factor authentication on ClientPortal in order to make it fully functional again.|
|Sept 20, 15:38||ClientPortal fully functional again. Our internal investigation into the incident continued.|
(Security Affairs – Fox-IT, DNS hijacking)