Adversary-In-The-Middle Attack (AitM): A novel way to evade MFA

In the vast realm of cyber threats, a relatively newer but impactful method has emerged: Adversary In the Middle (AiTM) attacks. AiTM attacks have recently become more popular as organizations started to adopt MFA (Multi-Factor Authentication) in their environments since this technique offers an interesting way to evade the MFA security control.

In this article, we will demystify AiTM attacks by delving into real-world examples, understanding the motives behind such campaigns, identifying the most targeted industries, discussing various techniques used by attackers, and finally, providing guidance on potential mitigation strategies.

What is an AiTM Attack?

An AiTM attack, as the name suggests, involves an adversary strategically placing themselves between two communicating parties, typically unbeknownst to the legitimate entities.

Attackers often employ an Adversary-In-The-Middle (AiTM) strategy to situate themselves between multiple connected devices. This positioning aids subsequent malicious activities like monitoring network traffic or altering transmitted data. By exploiting the vulnerabilities of certain networking protocols that dictate traffic flow, such as ARP, DNS, and LLMNR, attackers can reroute device communication through a system they control. This allows them to gather data or carry out further malicious acts.

Figure 1 – The rising popularity of AiTM technique in Cyber Attacks

For instance, by tampering with a victim’s DNS configurations, attackers can hinder or redirect users from accessing genuine websites or even introduce additional malware. Furthermore, by exploiting their vantage point, they might intercept user credentials and session information. Attackers can also use Downgrade Attacks to establish an AiTM foothold by forcing the use of outdated or weaker communication protocols or encryption methods.

A real-world example from Microsoft’s security blog highlights a multi-stage AiTM phishing and BEC (Business Email Compromise) campaign. Attackers impersonated business executives, sent phishing emails to employees, and, upon successful phishing, positioned themselves in legitimate email threads. They then manipulated financial transactions, redirecting funds to their accounts.

Figure 2 – Example of AiTM Multi-Stage attack followed by BEC (Source: Microsoft Threat Intelligence)

Motive Behind AiTM

While various motivations can drive AiTM campaigns, financial fraud is one of the most prevalent. By interjecting themselves in business communications, attackers can manipulate transactions, redirect funds, or steal sensitive financial information. This not only results in direct financial loss but can tarnish the reputation of businesses and erode trust among clients and partners.

Who’s at Risk?

Though any industry can be a potential target, certain verticals prove to be more lucrative for attackers. Businesses that regularly conduct large-scale financial transactions, such as real estate, legal firms, and financial institutions, are often at the crosshairs of AiTM attacks. Additionally, sectors with complex supply chains or multiple third-party collaborations might also face heightened risks.

Threat Actors: Techniques and Tools Used in AiTM Attacks

Evading Multi-Factor Authentication

This approach positions the attacker between the client and server during the authentication process, allowing the interception and theft of Multi-Factor Authentication (MFA) details. Effectively, the attacker acts as both the client and the server, deceiving the genuine parties involved.

We have seen a big increase in using AiTM attacks to intercept MFA details.
Corporate clients, particularly those in enterprise settings using Microsoft email services, are the main targets. The campaign’s complexity is high, with the end goal being to infiltrate corporate accounts, perform Business Email Compromise (BEC) attacks, and illicitly transfer funds.

Victims are sent malicious email links. Depending on user interaction, these links either lead directly to a phishing domain or contain HTML attachments linking to the phishing site. The attackers have also created typosquatted domain versions of legitimate websites and often send phishing emails from compromised executive accounts from these firms.

Redirection Strategies
Attackers employ various redirection techniques, using platforms like Google Ads-hosted Open Redirect sites and online code editing tools such as CodeSandbox and Glitch.

While MFA provides an added layer of security, it isn’t foolproof. Sophisticated phishing kits and obfuscation tactics can bypass traditional and advanced security measures. The success of phishing attacks largely hinges on user interaction, highlighting the importance of user awareness and training.

However, there are two mitigations that we would like to mention that can help in preventing successful AiTM attacks that aim to evade MFA – please refer to the end of the article for mitigation strategies. 

LLMNR/NBT-NS Poisoning and SMB Relay

Adversaries exploit LLMNR/NBT-NS network traffic to mimic a trustworthy source for name resolution, directing communication towards a malicious system. These components—LLMNR and NBT-NS—are integral to Microsoft Windows, serving as fallback mechanisms for host identification. When adversaries respond to this traffic, they can manipulate the service, causing victims to interact with the attacker-controlled system. If authentication is required for the requested resource, the victim’s username and NTLMv2 hash are sent to the malicious system. Attackers can then capture this hash information, potentially cracking it to access plaintext passwords. In certain situations, these hashes can also be intercepted and relayed, allowing attackers to run code against a target system. Moreover, adversaries can embed these hashes into various protocols, extending their malicious capabilities. Tools like NBNSpoof, Metasploit, and Responder can be employed to exploit these vulnerabilities within local networks.

Tools used to abuse LLMNR/NBT-NS Poisoning and SMB Relay technique:

  1. Responder: Poisons name services to gather hashes and credentials from local network systems.
  2. Impacket: Utilizes modules like ntlmrelayx and smbrelayx for Network Sniffing, LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks.
  3. Empire: Uses Inveigh for name service poisoning for credential theft and relay attacks.
  4. PoshC2: Uses Inveigh for name service poisoning for credential theft and relay attacks.
  5. Pupy: Sniffs plaintext network credentials and uses NBNS Spoofing to poison name services.

Threat Actors that are known to abuse LLMNR/NBT-NS Poisoning and SMB Relay techniques:

  1. Wizard Spider: Likely uses Invoke-Inveigh PowerShell cmdlets for name service poisoning.
  2. Lazarus Group: Executes Responder on compromised hosts to harvest credentials and move laterally.

ARP Cache Poisoning

Adversaries exploit the Address Resolution Protocol (ARP) to place themselves in the communication path of networked devices, potentially enabling them to monitor or alter transmitted data. ARP is crucial for mapping IPv4 addresses to MAC addresses in local networks. If a device needs the MAC address associated with an IP, it sends an ARP request. The corresponding device replies with its MAC address, stored in the requester’s ARP cache. However, attackers can deceive devices by rapidly replying to these requests with their MAC address, making the victim believe they’re communicating with the intended device. This deception can be achieved either by swiftly responding to ARP requests or by sending unsolicited ARP replies. Given ARP’s lack of authentication, devices can erroneously update their ARP cache. By poisoning the ARP cache, adversaries can intercept network traffic, potentially capturing sensitive data like credentials, especially if transmitted without encryption.

Threat Actors that are known to abuse ARP Cache Poisoning technique:

  1. Cleaver: Utilizes custom tools for ARP cache poisoning.
  2. LuminousMoth: Employs ARP spoofing to redirect compromised machines to actor-controlled websites.

DHCP Spoofing

Adversaries can redirect network traffic to their systems by masquerading as a DHCP server, a technique known as DHCP spoofing. By positioning themselves in the middle of the communication (AiTM), they can intercept and potentially manipulate network communications, capturing sensitive data like unencrypted credentials. DHCP operates on a client-server model, where the client requests network configuration, and the server provides it. The process involves the client broadcasting a DISCOVER message, the server offering an available network address, the client requesting the offered address, and the server acknowledging the request. Attackers might set up rogue DHCP servers on the victim network, leading to malicious network configurations. For instance, malware might act as a DHCP server, assigning victim computers to malicious DNS servers. By doing so, adversaries can route traffic through their systems, collecting valuable data. Additionally, adversaries can exploit DHCP to launch exhaustion attacks, flooding the network with DISCOVER messages to deplete the DHCP allocation pool.

Mitigating AiTM Attacks

Protecting against AiTM attacks requires a combination of technology, processes, and awareness. Moreover, it requires a defence in depth approach (combination of preventions and detection techniques) to cybersecurity, in order to truly minimise the risk of successful attacks. Below we list few mitigation options that you can leverage in your environments to combat AiTM attacks: 

  1. Phish-resistant MFA methods: Hardware-backed MFA methods will provide protection against AiTM (e.g. using FIDO2 compliant hardware authenticators). Also Biometric authentication proves to be a good countermeasure for AiTM attacks.
  2. Conditional Access Controls: Conditional Access controls which require device state information, or require specific network location, will provide protection for AiTM. 
  3. Filter Network Traffic: Filter DHCP traffic on ports 67 and 68 from unknown or untrusted DHCP servers, enable port security on layer switches, enable DHCP snooping on layer 2 switches to prevent DHCP spoofing and starvation attacks, and block DHCPv6 traffic and incoming router advertisements if IPv6 is not used.
  4. Disable or Remove Feature or Program: Disable updating ARP cache on gratuitous ARP replies.
  5. Encrypt Sensitive Information: Encrypt traffic and use best practices for authentication protocols.
  6. Limit Access to Resource Over Network: Create static ARP entries for network devices.
  7. Network Segmentation: Isolate infrastructure components to reduce AiTM activity scope.
  8. Network Intrusion Prevention: Utilize systems to identify and mitigate AiTM activity.
  9. User Training: Train users to be cautious about certificate errors to prevent HTTPS traffic interception.

Detecting AiTM Attacks

There are several ways to detect potential AiTM attacks, but heavily rely on the capabilities in a given environment (depends on what security controls and security tools are in place), but if we would advise something that is generally aplicable it would be following:

  1. Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.
  2. Monitor network traffic for irregularities that align with recognized AiTM patterns. Track network traffic stemming from unanticipated or unfamiliar hardware devices. Metadata from local network traffic, including source MAC addresses, along with the utilization of network management protocols like DHCP, can aid in pinpointing hardware origins.
  3. Monitor the creation of new services/daemons by checking Windows event logs for event IDs 4697 and 7045. It’s important to consider data and events in the context of a sequence of actions, as they might be linked to further activities like remote access or the initiation of processes.

In conclusion, while AiTM attacks pose a significant threat, organizations can effectively mitigate risks and safeguard their assets with proactive measures and continual vigilance.