Adversary in the Middle Attack Explained

Hey guys this is TheToySec back again with another Post. In this post we will talk about the Adversary in the Middle Attacks and some of the detection techniques to mitigate this type of attack.


What is Adversary in the Middle Attack?

Adversary in the Middle Attack is also known as AITM Attack, which is actually a phishing technique permitting attackers to hijack a user’s sign-in session, intercept the user’s session cookie and cookie, so get authenticated to a session on the user’s behalf. Once the attackers have successfully captured the user’s credentials and session cookies, they move to subsequent part of the attack by accessing compromised users’ mailboxes to launch Business Email Compromise campaigns against alternative targets.


MITRE ATT&CK Technique T1557: Adversaries might attempt to position themselves between 2 or a lot of networked devices using an adversary in the middle technique to support follow on behaviors like Network Sniffing or Transmitted knowledge Manipulation. By abusing features of common networking protocols that may verify the flow of network traffic. Adversaries might force a device to communicate through an opponent controlled system so that they will collect adversary or perform further actions.


How it happens?

Adversary in the Middle Attacks leverage Man in the Middle frameworks like Evilginx2, Muraena or Modilshka to deploy a proxy server between the user and targeted website so the recipients of a phishing email are redirected to lookalike landing pages designed to capture credentials and MFA info. As explained by Microsoft Security, the phishing page has 2 different Transport Layer Security (TLS) sessions one with the target and another with the particular website the target needs to access. The phishing page then functions as an AITM agent, intercepting the entire authentication process and extracting valuable data from the HTTP requests like passwords and, a lot of significantly, session cookies. Once in possession of this info, the attackers injected the cookies into their own browsers to avoid the authentication method, despite whether the victim had enabled MFA protection.


Prevention Tips for AITM Attacks

Once a user lands on the attacker’s phishing page, it’s too late for any security layer to protect against the credential harvester. And, a bit like attackers are developing with ways that to subvert the MFA protection. Eventually they’ll possibly find some way around FIDO v2.0. instead of focusing on an authentication technique Phishblocklist delivers comprehensive protection against AITM by block users from accessing the phishing page for maximum protection against credential harvester TTPs that cause ransomware, breaches, and other cyber attacks. Phishblocklist, one of the zveloCTI™ Cyber Threat Intelligence feeds, has proved market leading detection coverage and speed of active phishing threats from the global Activeweb traffic stream across web surfing, email, SMS and alternative applications. Additionally enhanced with zvelo’s predictive phishing detection.  Phishblocklist delivers valid active phishing threats that are enriched with extra metadata attributes like date detected, targeted brand, phishing campaign identification and much more.


If you really like this post then give your reaction and don’t forget to share with others. Till then we will meet again in another interesting topic.


Thank you for reading this and have a nice stay there!