Netherlands-based Fox-IT, one of the world's leading IT security providers, disclosed today a security breach during which an unknown attacker carried out a Man-in-the-Middle (MitM) attack and spied on a small number of Fox-IT customers.
The incident took place on September 19 and lasted for 10 hours and 24 minutes. According to Fox-IT, an attacker hijacked the company's domain name, which he then used to obtain an SSL certificate in Fox-IT's name.
The attacker then pointed the domain to a private VPS server under his control and executed a MitM attack, receiving traffic intended for the Fox-IT domain, reading the content of HTTPS connections with the help of the SSL certificate, and then redirecting users back to the actual Fox-IT server.
Fox-IT says the attacker was only interested in intercepting traffic for its ClientPortal website. The company, which is now part of UK software giant NCC Group, provides a wide range of managed IT security & threat intelligence services for large enterprises all over the world.
According to Fox-IT, attackers intercepted login attempts and credentials, and files sent to the ClientPortal. In total, attackers intercepted credentials for a meager 9 users and a grand total of 12 files.
The low number of affected users is because Fox-IT detected the domain hijacking and MitM attack after the first 5 hours and disabled its two-factor authentication service. This effectively prevented other users from logging in and exposing other critical files and data.
Fox-IT also moved quickly to notify affected customers and reset intercepted passwords, which wouldn't be useful anyway because Fox-IT used two-factor authentication for the login process. In addition, the company said that none of the intercepted files were marked as "secret," and most did not contain sensitive information.
Other files and data of less importance obtained during the MitM attack include one mobile phone number, a subset of names and email addresses of ClientPortal users, and ClientPortal account names.
"In the scheme of the industry average time of detection of weeks this was a short exposure," said Fox-IT, who also said it notified Dutch law enforcement of the incident.
Below is a detailed timeline of the hack, as it was made available in Fox-IT's security breach disclosure.
|Sept 16 2017||First reconnaissance activities against our infrastructure that we believe are attributable to the attacker. These included regular port scans, vulnerability scans and other scanning activities.|
|Sept 19 2017, 00:38||The attacker changed DNS records for fox-it.com domain at a third party provider.|
|Sept 19 2017, 02:02||Latest moment in time that we have been able to determine that clientportal.fox-it.com still pointed to our legitimate ClientPortal server. This means that traffic destined for the ClientPortal was not being intercepted yet.|
|Sept 19 2017, 02:05-02:15||Maximum 10-minute time window during which the attacker temporarily rerouted and intercepted Fox-IT email for the specific purpose of proving that they owned our domain in the process of fraudulently registering an SSL certificate for our ClientPortal.|
|Sept 19 2017, 02:21||The actual MitM against our ClientPortal starts. At this point, the fraudulent SSL certificate for ClientPortal was in place and the IP DNS record for clientportal.fox-it.com was changed to point to a VPS provider abroad.|
|Sept 19 2017, 07:25||We determined that our name servers for the fox-it.com domain had been redirected and that this change was not authorized. We changed the DNS settings back to our own name servers and changed the password to the account at our domain registrar. This change will have taken time to have full effect, due to caching and the distributed nature of the domain name system.|
|Sept 19 2017, 12:45||We disabled the second factor authentication for our ClientPortal login authentication system (text messages), effectively preventing users of ClientPortal from successfully logging in and having their traffic intercepted. Other than that, we kept ClientPortal functional in order not to disclose to the attacker that we knew what they were doing, and to give ourselves more time to investigate. At this point, the MitM against ClientPortal was still active technically, but would no longer receive traffic to intercept as users would not be able to perform two factor authentication and log in.|
|Sept 19 – Sept 20 2017||A full investigation into the incident was undertaken, along with notification of all clients that had files intercepted and the relevant authorities, including the Dutch Data Protection Authority. A police investigation was launched and is still ongoing. Based on the outcome of our investigation, we understood the scope of the incident, we knew that the attack was fully countered and we were prepared to re-enable two factor authentication on ClientPortal in order to make it fully functional again.|
|Sept 20, 15:38||ClientPortal fully functional again. Our internal investigation into the incident continued.|