Conscia ThreatInsights
Adversary-In-The-Middle Attack (AiTM): A novel way to evade MFA

Motive Behind AiTM

While various motivations can drive AiTM campaigns, financial fraud is one of the most prevalent. By interjecting themselves in business communications, attackers can manipulate transactions, redirect funds, or steal sensitive financial information. This not only results in direct financial loss but can tarnish the reputation of businesses and erode trust among clients and partners.

Who’s at Risk?

Though any industry can be a potential target, certain verticals prove to be more lucrative for attackers. Businesses that regularly conduct large-scale financial transactions, such as real estate, legal firms, and financial institutions, are often at the crosshairs of AiTM attacks. Additionally, sectors with complex supply chains or multiple third-party collaborations might also face heightened risks.

Threat Actors: Techniques and Tools Used in AiTM Attacks

Evading Multi-Factor Authentication

This approach positions the attacker between the client and server during the authentication process, allowing the interception and theft of Multi-Factor Authentication (MFA) details. Effectively, the attacker acts as both the client and the server, deceiving the genuine parties involved.

We have seen a big increase in using AiTM attacks to intercept MFA details.
Corporate clients, particularly those in enterprise settings using Microsoft email services, are the main targets. The campaign’s complexity is high, with the end goal being to infiltrate corporate accounts, perform Business Email Compromise (BEC) attacks, and illicitly transfer funds.

Methodology
Victims are sent malicious email links. Depending on user interaction, these links either lead directly to a phishing domain or contain HTML attachments linking to the phishing site. The attackers have also created typosquatted domain versions of legitimate websites and often send phishing emails from compromised executive accounts from these firms.

Redirection Strategies
Attackers employ various redirection techniques, using platforms like Google Ads-hosted Open Redirect sites and online code editing tools such as CodeSandbox and Glitch.

While MFA provides an added layer of security, it isn’t foolproof. Sophisticated phishing kits and obfuscation tactics can bypass traditional and advanced security measures. The success of phishing attacks largely hinges on user interaction, highlighting the importance of user awareness and training.

However, there are two mitigations that we would like to mention that can help in preventing successful AiTM attacks that aim to evade MFA – please refer to the end of the article for mitigation strategies. 

LLMNR/NBT-NS Poisoning and SMB Relay

Adversaries exploit LLMNR/NBT-NS network traffic to mimic a trustworthy source for name resolution, directing communication towards a malicious system. These components—LLMNR and NBT-NS—are integral to Microsoft Windows, serving as fallback mechanisms for host identification. When adversaries respond to this traffic, they can manipulate the service, causing victims to interact with the attacker-controlled system. If authentication is required for the requested resource, the victim’s username and NTLMv2 hash are sent to the malicious system. Attackers can then capture this hash information, potentially cracking it to access plaintext passwords. In certain situations, these hashes can also be intercepted and relayed, allowing attackers to run code against a target system. Moreover, adversaries can embed these hashes into various protocols, extending their malicious capabilities. Tools like NBNSpoof, Metasploit, and Responder can be employed to exploit these vulnerabilities within local networks.

Tools used to abuse LLMNR/NBT-NS Poisoning and SMB Relay technique:

1. Responder: Poisons name services to gather hashes and credentials from local network systems.
2. Impacket: Utilizes modules like ntlmrelayx and smbrelayx for Network Sniffing, LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks.
3. Empire: Uses Inveigh for name service poisoning for credential theft and relay attacks.
4. PoshC2: Uses Inveigh for name service poisoning for credential theft and relay attacks.
5. Pupy: Sniffs plaintext network credentials and uses NBNS Spoofing to poison name services.

Threat Actors that are known to abuse LLMNR/NBT-NS Poisoning and SMB Relay techniques:

1. Wizard Spider: Likely uses Invoke-Inveigh PowerShell cmdlets for name service poisoning.
2. Lazarus Group: Executes Responder on compromised hosts to harvest credentials and move laterally.

ARP Cache Poisoning

Adversaries exploit the Address Resolution Protocol (ARP) to place themselves in the communication path of networked devices, potentially enabling them to monitor or alter transmitted data. ARP is crucial for mapping IPv4 addresses to MAC addresses in local networks. If a device needs the MAC address associated with an IP, it sends an ARP request. The corresponding device replies with its MAC address, stored in the requester’s ARP cache. However, attackers can deceive devices by rapidly replying to these requests with their MAC address, making the victim believe they’re communicating with the intended device. This deception can be achieved either by swiftly responding to ARP requests or by sending unsolicited ARP replies. Given ARP’s lack of authentication, devices can erroneously update their ARP cache. By poisoning the ARP cache, adversaries can intercept network traffic, potentially capturing sensitive data like credentials, especially if transmitted without encryption.

Threat Actors that are known to abuse ARP Cache Poisoning technique:

1. Cleaver: Utilizes custom tools for ARP cache poisoning.
2. LuminousMoth: Employs ARP spoofing to redirect compromised machines to actor-controlled websites.

DHCP Spoofing

Adversaries can redirect network traffic to their systems by masquerading as a DHCP server, a technique known as DHCP spoofing. By positioning themselves in the middle of the communication (AiTM), they can intercept and potentially manipulate network communications, capturing sensitive data like unencrypted credentials. DHCP operates on a client-server model, where the client requests network configuration, and the server provides it. The process involves the client broadcasting a DISCOVER message, the server offering an available network address, the client requesting the offered address, and the server acknowledging the request. Attackers might set up rogue DHCP servers on the victim network, leading to malicious network configurations. For instance, malware might act as a DHCP server, assigning victim computers to malicious DNS servers. By doing so, adversaries can route traffic through their systems, collecting valuable data. Additionally, adversaries can exploit DHCP to launch exhaustion attacks, flooding the network with DISCOVER messages to deplete the DHCP allocation pool.

Mitigating AiTM Attacks

Protecting against AiTM attacks requires a combination of technology, processes, and awareness. Moreover, it requires a defence in depth approach (combination of preventions and detection techniques) to cybersecurity, in order to truly minimise the risk of successful attacks. Below we list few mitigation options that you can leverage in your environments to combat AiTM attacks: 

1. Phish-resistant MFA methods: Hardware-backed MFA methods will provide protection against AiTM (e.g. using FIDO2 compliant hardware authenticators). Also Biometric authentication proves to be a good countermeasure for AiTM attacks.
2. Conditional Access Controls: Conditional Access controls which require device state information, or require specific network location, will provide protection for AiTM. 
3. Filter Network Traffic: Filter DHCP traffic on ports 67 and 68 from unknown or untrusted DHCP servers, enable port security on layer switches, enable DHCP snooping on layer 2 switches to prevent DHCP spoofing and starvation attacks, and block DHCPv6 traffic and incoming router advertisements if IPv6 is not used.
4. Disable or Remove Feature or Program: Disable updating ARP cache on gratuitous ARP replies.
5. Encrypt Sensitive Information: Encrypt traffic and use best practices for authentication protocols.
6. Limit Access to Resource Over Network: Create static ARP entries for network devices.
7. Network Segmentation: Isolate infrastructure components to reduce AiTM activity scope.
8. Network Intrusion Prevention: Utilize systems to identify and mitigate AiTM activity.
9. User Training: Train users to be cautious about certificate errors to prevent HTTPS traffic interception.

Detecting AiTM Attacks

There are several ways to detect potential AiTM attacks, but heavily rely on the capabilities in a given environment (depends on what security controls and security tools are in place), but if we would advise something that is generally aplicable it would be following:

1. Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.
2. Monitor network traffic for irregularities that align with recognized AiTM patterns. Track network traffic stemming from unanticipated or unfamiliar hardware devices. Metadata from local network traffic, including source MAC addresses, along with the utilization of network management protocols like DHCP, can aid in pinpointing hardware origins.
3. Monitor the creation of new services/daemons by checking Windows event logs for event IDs 4697 and 7045. It’s important to consider data and events in the context of a sequence of actions, as they might be linked to further activities like remote access or the initiation of processes.

In conclusion, while AiTM attacks pose a significant threat, organizations can effectively mitigate risks and safeguard their assets with proactive measures and continual vigilance.