Types of Cyberattacks That Threaten Businesses, Part III: Man-in-the-Middle, APT & SSRF Breaches
16 Min Read
In this final article of our cybersecurity threats series, we will examine the remaining three of the most common types of cyberattacks businesses face — with examples that include two of the worst breaches in history — and go over how they can be thwarted or minimized.
With the knowledge base acquired in these articles, you’ll have a solid foundation to build on with further education and training, so that you can become an invaluable security asset to any company. Because criminals and their cyberattacks continue to evolve and grow more cunning, those on the front lines against them must work tirelessly to keep enhancing their knowledge and defenses — it’s the only way to keep themselves, their livelihoods and their clients safe.
In Man-in-the-Middle attacks, hackers impersonate end users to obtain sensitive information. For example, a hacker may send an email to customers, pretending to be a representative from their bank and trying to get them to click on a link that appears to go to their bank’s website. However, in reality, the link leads to a spoofed web page set up by the hacker; as soon as customers log in with their usernames and passwords, they’ve unwittingly handed that information over to the attacker, who then uses it to hijack their account and steal their money. Instead of links, attackers sometimes use malicious attachments, enticing recipients to open the files; once they do, malware is planted on their computers.
Alternatively, the criminal may contact the bank while posing as a customer to steal information or commit a fraudulent transaction, such as transferring funds from the customer’s account into their own.
Another way in which crooks execute a Man-in-the-Middle attack is via physical proximity to the target. Often, this type of attack is launched by infiltrating the user’s network through an unsecured or poorly secured Wi-Fi router, either in a public place, such as a coffee shop with a free wireless hotspot, or in the user’s own home. Once they have compromised the router, the hacker can deploy tools that intercept the victim’s data; sometimes, they insert these malicious mechanisms between the victim’s computer and the websites accessed on that computer, in order to steal passwords, bank account info and other personal information.
European Bank Attacks
In 2015, a gang of fraudsters that came primarily from Nigeria, Cameroon and Spain targeted medium and large companies in Europe with a Man-in-the-Middle attack, which involved finding and intercepting payment requests in emails. The lawbreakers used social engineering and inserted malware into the companies’ networks to gain access to corporate email accounts. They then monitored communications to detect payment requests, set up fraudulent transactions and directed customers to send money to bank accounts that they controlled. Finally, they cashed out those payments and transferred the funds outside the European Union by way of a complex money-laundering network.
Police arrested 49 suspects spread throughout Europe in coordinated raids in Italy, Spain, Poland, the U.K., Belgium and Georgia. They confiscated numerous devices, including laptops, phones, tablets, SIM cards, memory sticks, hard disks, credit cards, bank account records and forged documents, discovering international fraud totaling $6.8 million.
Lessons and Solutions:
Encryption, Monitoring and Threat Identification Technology
Because the easiest way for Man-in-the-Middle attackers to gain access to both parties is through a non-encrypted wireless access point, businesses should be sure to use the Wireless Access Protocol (WAP) and Wi-Fi Protected Access (WPA) or WPA2 encryption for their wireless systems.
Companies may also benefit from installing a network monitoring tool with an intrusion detection system (IDS). Resources such as IBM QRadar perform real-time analysis of network data to discover cyber criminals’ digital footprints and catch concealed threats before they can harm businesses and clients.
QRadar and comparable tools provide users with deeper insights into their network traffic, allowing them to detect threats that often lie hidden within the volume of normal system activity. They also offer greater visibility into who is accessing companies’ data and where it is moving, so sensitive information can be tracked and protected more effectively.
A Unified Endpoint Management (UEM) tool is another recommended solution for combating Man-in-the-Middle threats as well as other types of cyberattacks. UEM simplifies security by allowing a business’s IT department to manage all of the devices on its network via a single platform. IBM’s MaaS360 with Watson is one such option that combines AI and analytics, protection against threats, identity and access management, native patching and updates, safeguards against data loss and remote support capabilities.
Banks, such as the European institutions controlled by the criminals in the Man-in-the-Middle attack described above, are frequently targeted by hackers. Consequently, throughout any online banking session, users must check repeatedly to ensure they are still on their bank’s legitimate website and not a fraudulent one made to look like the real thing.
They should pay close attention to the URL, verifying that it maintains the “https” text and padlock icon at the beginning to denote a secure connection. Because the address bar can’t be directly modified by a web page, this is users’ lifeline to confirm whether or not they’re on a safe site.
Another red flag for people to watch out for is a link that redirects to a geographical location that is different from their bank’s.
Additionally, when a customer receives a message with a link supposedly from their bank, they should not click on the link, but rather, type the URL of their bank’s website into their browser themselves and access it that way.
Advanced Persistent Threat (APT)
Advanced persistent threats (APTs) are stealthy infiltrations that seek to obtain information from a network over a long period of time, typically months or years. The criminals adapt to cyber defenses to try to make their attacks more effective, and they frequently go after the same targets again and again.
They also generally work under the direction and with the backing of an adversarial nation-state — often Iran, China, Russia or North Korea — with the goal of spying on, stealing sensitive information from, disrupting the operations of or destroying infrastructure within other countries.
APTs occur in five distinct phases:
1. Reconnaissance: Hackers assess their target network to understand its nature and find weaknesses.
2. Incursion: Attackers break into the network and insert targeted malware to susceptible individuals and systems.
3. Discovery: The organization’s security systems are analyzed so that hackers can create a plan for information capture.
4. Capture: Hackers access systems and capture information over a lengthy period of time. Malware may also be installed to disrupt the system.
5. Exfiltration: Sensitive information is sent back to the attack team’s system for analysis and use.
When hackers directed by the SVR, Russia’s intelligence service, breached Texas-based company SolarWinds in 2020, they targeted Orion, a network management system, which touches every part of a network — servers, firewalls and devices.
Sudhakar Ramakrishna, President and CEO of SolarWinds, figures “the Russians successfully compromised about 100 companies and about a dozen government agencies.” The companies include Microsoft, Intel and Cisco, while the list of federal agencies comprises the Treasury, Justice and Energy Departments; the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security; and even the Pentagon.
Theft of information may have been the criminals’ sole objective, but they snooped around US networks for nine months, giving them plenty of time to plant harmful software or viruses that could potentially go undetected and be activated in the future.
It began in the fall of 2019, when the hackers inserted malicious code during a routine update to Orion’s software. They returned in February 2020, employing an implant that created a backdoor into the software before it was published. This enabled them to carry out the attack without alerting anyone that the code had been compromised.
They clandestinely replaced the original code with their version at the last possible moment; once the software update was packaged and delivered to SolarWinds’ customers, the hackers had unrestricted, undetected access to the computers of all users who downloaded and installed it. Another way the Russians avoided detection was by reverse-engineering the process through which Orion communicated with servers; they even created their own coding instructions that emulated the system’s syntax and formats. Afterward, the culprits “washed the code,” removing any clues therein that could tie them to the crime.
In late January to February 2015, Anthem, one of the largest health insurance companies in the United States, fell victim to what was called at the time the biggest data breach in the history of healthcare. The attack was carried out by a cyber warfare group connected to the Chinese government, which went by aliases such as “Deep Panda” and “Black Vine.” The information stolen comprised names, Social Security numbers, birthdays, addresses, emails, employment information and salary data of both customers and company employees.
Anthem’s data was hacked through a sophisticated attack that was essentially a hybrid of spear-phishing and APT. The perpetrators began by targeting administrative accounts with phishing emails connected to malicious websites that were disguised as internal services. When the users visited the sites, their computers were infected with downloaded malware that gave the perpetrators a backdoor into the users’ systems, through which they could gain control of the computers. Then, the hackers compromised multiple user accounts throughout the Anthem network, until they succeeded in accessing, querying and exfiltrating the corporate data warehouse that held customers’ personally identifiable information (PII).
The query was suspiciously large, so Anthem’s IT department spotted it on January 26. Three days later, Anthem shut down the sysadmin account and reported the breach to federal authorities and other regulatory bodies.
The attack compromised up to 78.8 million records. Anthem’s total expenditure to clean it up was about $230 million, including the costs of purchasing cyber security insurance, settling class-action lawsuits and paying for extra security services and cyber defense resources.
Lessons and Solutions
The Need for Defenses to Evolve Along With Attacks
At the time of the SolarWinds hack, the US Department of Homeland Security’s detection system could only recognize and stop known threats, which accounted for 90-95 percent of all cyberattacks. The SolarWinds breach was a previously unknown threat, clarifying the importance of building more advanced systems capable of finding and stopping novel attacks.
Reporting, Reviewing and Standardizing
There were also two warning signs of the attack that failed to yield a response that might have prevented it, including suspicious activity on a client’s computer discovered by cybersecurity firm Volexity and a malicious backdoor found by Palo Alto Networks. In the first case, the company didn’t feel there was enough evidence to notify the government or SolarWinds; in the second, the company was unable to locate the source of the backdoor and detect the attack.
These failures have prompted some cybersecurity experts to propose the creation of a national review board to investigate cyberattacks in a more formal way, as well as to ensure that software and hardware vendors report breaches or any signs of such attacks to the government immediately upon discovery.
Additionally, Anne Neuberger, deputy national security adviser for cyber and emerging technology, is working on an order that would mandate companies that work with the U.S. government to meet certain software standards, and would also require federal agencies to follow basic security protocols, including data encryption in all systems. As part of this legislation, companies like SolarWinds could be required to “air gap” the systems in which they create their software, meaning they would not be connected to the internet and would thus be much less vulnerable.
The Importance of Companies Being Prudent
There was a troubling find that may have caused the hackers to put SolarWinds in their crosshairs: The company’s marketing website included a very specific list of businesses and government agencies that used the Orion software, thus telling the cyber criminals which organizations they would be able to compromise by attacking SolarWinds. This emphasizes how vital it is for software providers and other companies to be more discreet about their clients.
As far as internal availability of information, the Anthem hack demonstrated how crucial it is for companies to limit access. Even for top administrators, the data that can be viewed and retrieved should be determined and regulated on a need-to-know basis, in order to reduce the amount of information that hackers will be able to steal, corrupt or destroy if and when they break into employees’ accounts.
Asking the Experts for Assistance
In the case of the Anthem attack, the insurance company wisely enlisted the help of ThreatConnect, a cyber-security firm, which performed a deeper analysis to track down the perpetrators. Their investigation found IP addresses that pointed to a suspicious domain name and registrant email address, which the firm was able to connect to a Chinese professor. This instructor was working on a project sponsored by an organization that was created by Beijing Topsec, a Chinese telecommunications and IT company with ties to the Chinese government and military.
Few companies outside of the cybersecurity industry have the resources and expertise to trace digital crimes back to the specific parties responsible, underscoring the great value of utilizing firms like ThreatConnect to find the sources of attacks, shut them down and prevent them from breaching one’s corporate network again.
Server-Side Request Forgery (SSRF)
In this type of cyberattack, a hacker exploits a vulnerable web application and then deceives it into redirecting malicious requests to the internal network or local host behind the system firewall — thus bypassing the network’s defenses. SSRF operations are especially threatening to cloud-based services because they make metadata API accessible via the Internet instead of just locally, enabling intruders to use the compromised web application to obtain cloud infrastructure data, including configurations, logs and credentials.
As long as the application supports the uniform resource identifier (URI) scheme used by the hacker’s request, e.g., HTTPS, host file system (file:////), dictionary service (dict://) or redis service (redis://), the hacker will be able to compromise any target that has a trust relationship with the server.
An SSRF attack also circumvents a network’s container sandbox protection and leaves systems vulnerable to internal surveillance, lateral movement and remote execution of code such as malware and ransomware.
Capital One Hack
In the summer of 2019, Capital One Financial Corp. was hacked by a former software engineer at Amazon Web Services, who used a Server-Side Request Forgery attack. The culprit stole personal information, including names and addresses, of roughly 100 million people in the US and 6 million in Canada. She also acquired around 140,000 Social Security numbers, 1 million Canadian social insurance numbers, 80,000 bank account numbers and many phone numbers and credit scores.
According to the US Attorney’s office, the criminal was able to access this private data through a misconfigured web application firewall that left the financial company’s system vulnerable. She confessed to utilizing a command that enabled her to extract files from a Capital One directory located on Amazon’s servers. Fortunately, she was caught after boasting about the hack on social media and sharing information from it on the coding platform GitHub, where someone else saw it and reported it to Capital One, who in turn contacted the FBI. Law enforcement officials were able to locate the perpetrator because the GitHub page she had posted on included her full name in its digital address.
In total, the attack was estimated to cost Capital One $100 – 150 million, including expenses incurred for customer notifications; credit monitoring and identity protection, which the company offered as complimentary services to affected customers; tech costs; and legal support.
Lessons and Solutions:
To resolve the main problem that leaves systems open to SSRF attacks, cybersecurity specialists advise developers to rigorously validate the format and pattern of user input prior to transferring it to the application logic.
These experts offer additional recommendations for preventive measures to be taken by system administrators who install and manage web applications. Patching and updating applications on a regular basis are the simplest and most effective methods to prevent vulnerabilities. Another strong suggestion is enforcing an allowlist of domains with which an application is permitted to communicate, which will substantially minimize the services that hackers are able to target.
A similar tactic can be used for metadata application programming interfaces (APIs), which facilitate the easy, secure exchange of data and functionality between applications. Some APIs are already protected by a cloud service provider, but for those that aren’t, administrators can safeguard the interfaces themselves. The best way to accomplish this is by limiting the Identity and Access Management (IAM) privileges to only those cloud services that applications actually need, in order to reduce the negative impact if a credential is compromised.
Admins can also block SSRF attacks through the configuration of a zero-trust network, in which authentication and authorization are required for all services on every application. Implementing a Web Application Firewall (WAF) is another great way, as this will identify abnormal patterns or harmful content in HTTP requests and shut them down.
A firewall gives administrators an extra option for bolstering security as well: creating rules within virtual machines (VMs) that block the metadata IP or enable only specific applications or users to access the API. For yet another layer of protection, one can build a proxy above the metadata API; this is essentially a thin server that sits between the applications and backend services and acts as an intermediary, making requests on behalf of developers. It features some basic security and monitoring capabilities.
Interactive Application Security Testing (IAST) tools are additional defenses that perform real-time tracking of input data and show users how the application is actually using that information. IASTs will reliably identify any untrusted inputs engaged in sensitive operations. Runtime Application Self Protection (RASP) technology is another effective resource that works in a similar way, providing a blend of static and real-time visibility.
Your Future in Cybersecurity
Because computers affect nearly all aspects of modern business and government, protection against all types of cyberattacks is paramount. For individuals who wish to be part of an exciting field full of opportunities, the Bachelor of Arts, Bachelor of Science or Bachelor of Applied Science in Cybersecurity degree from Eastern Oregon University provides the education and training necessary to face the challenges of today and tomorrow, featuring a curriculum taught by experienced instructors who are real-world industry professionals. Designed for ultimate flexibility, the program allows students to study on their own schedules while still giving them the ability to interact with their professors and classmates.
To learn more, fill out the form located here or call Eastern Oregon University at 855-805-5399.