The Dutch security company Fox-IT has announced it was hit by a man-in-the-middle attack that allowed criminals to hijack its servers and intercept confidential client data. Fox-IT responded promptly to the targeted attack against the company.
The attack occurred back in September and took the form of a classic man-in-the-middle interception. The attackers rerouted traffic to Fox-IT’s servers to pass through their own infrastructure. This allowed them to inspect the data being passed between the company and its clients.
As Ars Technica reports, Fox-IT detailed the breach in a blog post late last week. The company said it wanted to share what it’s learnt from the incident, helping others to respond. The company judged its response to the attack as appropriate but said there were several missed opportunities to prevent it occurring.
The attack began when the DNS records for the Fox-IT.com domain were changed. The attackers gained access to the third-party domain registrar used by Fox-IT. They then modified the DNS records for the company’s secure clients server to point to their own server. This forwarded traffic from Fox-IT to a destination of the attacker’s choosing.
Over the ensuing hours, the attackers redirected Fox-IT’s email, fraudulently obtained an SSL certificate for their server and began the actual man-in-the-middle attack. With the traffic being rerouted and a valid SSL certificate in-place, the attackers had everything they needed to infiltrate communications between Fox-IT and its clients. The presence of a genuine certificate ensured browsers wouldn’t detect any abnormalities.
Fox-IT became aware of the proceedings around seven hours after the incident began. It was alerted to the change of nameservers for its domain and began the process of regaining control. It secured its account with the third-party domain registrar and then began to neutralise the threat to its clients.
The company disabled two-factor authentication for the impacted clients server. This barred clients from logging in, preventing their data from being stolen by the attackers. The server itself was left online though, a decision designed to buy Fox-IT time while it continued the investigation.
“Twin mantras” for security
The sophisticated attack demonstrates that cybersecurity is an ongoing concern for every digital company, including firms that themselves specialise in security. Reflecting on the incident, Fox-IT said its biggest failing was the lack of two-factor authentication (2FA) around its domain registration account. If 2FA was available and enabled, the attacker would not have been able to modify the DNS records for the company’s domain.
The lessons from the attack should apply to all companies participating in the digital age. Fox-IT said firms should focus on establishing efficient security processes and layering up protections. This makes an attacker’s life more complicated and provides a structure to follow when investigating incidents.
“While we deeply regret the incident and the shortcomings on our part which contributed to it, we also acknowledge that a number of the measures we had in place enabled us to detect the attack, respond quickly and confidently and thereby limited the scale and length of the incident,” said Fox-IT. “That’s why the twin mantras in security should always be followed: layered security and prevention, detection and response.”
During the incident, nine Fox-IT client users had their credentials stolen as they logged in. Twelve files were intercepted, including three marked as client confidential. Several sets of personal details, including names, client names, email addresses and a mobile phone number, were stolen. Fox-IT said it has notified all the people involved in the breach.