This attack leads to spying some small amount of their customer’s activities and this incident has been active the total effective MitM time to 10 hours and 24 minutes.
A man-in-the-middle attack is a form of eavesdropping in which an attacker intercepts and relays messages between two parties who are communicating directly with each other.
In this case, Attacker has modified the Fox-IT DNS record and point out to their own server and to intercept and forward the traffic to the original server that belongs to Fox-IT.
Fox-IT client portal was the specific aim for the attacker where Fox-IT used it for an exchange of files with customers, suppliers and other organizations.
What Happened During this Cyber Attack
First unusual activities triggered on Sept 16, 2017, which contains a reconnaissance with Fox-IT infrastructure including port scans, vulnerability scans, and other scanning activities.
later attacker gain the access to the Fox-IT network and modified the DNS record of the fox-it.com domain.
In this case, Fox-IT believes that client portal still pointed out to Fox-IT legitimate Client portal server but attacker temporarily reroutes the attack and intercepted Fox-IT email for the specific purpose of proving that they owned Fox-IT domain in the process of fraudulently registering an SSL certificate for our ClientPortal.
Sept 19 2017, Fox-IT Experts realized that real MITM attack starts against their server. during this time the fraudulent SSL certificate for ClientPortal was in place and the IP DNS record for clientportal.fox-it.com was changed to point to a VPS provider abroad.
According to Fox-IT investigation, name servers for the fox-it.com domain had been redirected and that this change was not authorized. We changed the DNS settings back to our own name servers and changed the password to the account at our domain registrar
Later Fox-IT disables the two-factor authentication for their client portal to preventing users of ClientPortal from successfully logging in.
Also, Fox-IT kept the portal open to access for the attacker and they concern about not to disclose this activity to the attacker for taking time to investigate more.
“During the meantime of Sept 19 – Sept 20 2017, A full investigation into the incident was undertaken, along with notification of all clients that had files intercepted and the relevant authorities, including the Dutch Data Protection Authority Fox-IT said.