Hackers take control of security firm’s domain, steal secret data
A Dutch security firm recently fell victim to a well-executed attack that allowed hackers to take control of its servers and intercept clients’ login credentials and confidential data.
The security firm, Fox-IT, said in a blog post published last week that the so-called “man-in-the-middle attack” lasted for 10 hours and 24 minutes, although the attack was largely contained for much of that time. The attackers carried it out by gaining unauthorized access to Fox-IT’s account with a third-party domain register. Next, they changed a domain name system record that designated the IP address that corresponded to the the security company’s client portal. With that, the attackers effectively hijacked control of fox-it.com and all traffic sent to it.
The attackers were able bypass protections provided by HTTPS-based encryption by first using their control of the Fox-IT domain to obtain a new transport layer security certificate. The process happened in the first 10 minutes of the attack, during which time all Fox-IT email was rerouted to the attackers. With that in place, the attackers were able to able to decrypt all incoming traffic and to cryptographically impersonate the hijacked domain. After intercepting and reading incoming traffic, the attackers forwarded it to Fox-IT in an attempt to prevent company engineers from detecting the attack.
The detailed account underscores just how easily hacks can succeed, even against security-savvy parties with relatively robust practices in place. It wouldn’t be surprising to see the same techniques succeed against scores or even hundreds of other companies that use the same industry-standard countermeasures.
“While we deeply regret the incident and the shortcomings on our part which contributed to it, we also acknowledge that a number of the measures we had in place enabled us to detect the attack, respond quickly and confidently and thereby limited the scale and length of the incident,” Fox-IT officials wrote.
Fox-IT ultimately detected the DNS hijack a little more than five hours after it started. Company engineers restored the DNS settings to the correct server and changed the password for the account. The man-in-the-middle attack, however, continued because it takes time for old DNS settings to be replaced across the Internet. The engineers eventually disabled the second-factor of authentication on the compromised client portal. The change had the effect of locking out all clients so that the attackers couldn’t intercept sensitive information. At the same time, Fox-IT disabled 2FA but left its login process in place so attackers wouldn’t know Fox-IT had detected the hack. That allowed Fox-IT analysts to monitor how the in-progress attack was working while, at the same time, preventing the hackers from intercepting any more sensitive traffic.
In all, attackers intercepted the login credentials of nine individual users, 10 unique files, one mobile phone number, and several names and email addresses of client portal users. The stolen passwords didn’t allow the attackers to log in to customers’ accounts because they were protected with two-factor authentication. Fox-IT notified users of the September 19 breach within 24 hours, but only disclosed it publicly in last week’s blog post.
The biggest lapse on Fox-IT’s part was the failure to secure its domain register account with two-factor authentication. The security company said it opened the account 18 years ago, when 2FA wasn’t a viable protection in such settings. The unnamed provider failed to make 2FA available in recent years, even as it became common elsewhere, and no one at Fox-IT noticed the lapse.
Fox-IT analysts still don’t know how the attackers obtained the account password, which the blog post said was strong enough to resist brute-force guessing attacks. However the attackers obtained the credential, Fox-IT said the presence of 2FA likely would have prevented the breach. Fox-IT could also have detected the attack much more quickly if it had actively monitored publicly available transparency records for recently issued TLS certificates for its fox-it.com domain.