Security company Fox-IT reveals, details MitM attack they suffered in September

Data from over 200 Pen Tests Shows Most Common Vulnerabilities. Learn more now.

Dutch IT security consultancy/service provider Fox-IT has revealed on Thursday that it has suffered a security breach, which resulted in some files and emails sent by the company’s customers to be intercepted by an unknown attacker.

Fox-IT security breach

The attack

On September 19, the attacker accessed the DNS records for the domain at their third party domain registrar, modified them to point to a server in their possession, and intercepted and then forwarded the traffic to the original server that belongs to Fox-IT.

“This type of attack is called a Man-in-the-Middle (MitM) attack. The attack was specifically aimed at ClientPortal, Fox-IT’s document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker’s goal was to carry out a sustained MitM attack,” the company shared.

“Because we detected and addressed the breach quickly we limited the total effective MitM time to 10 hours and 24 minutes. In the scheme of the industry average time of detection of weeks this was a short exposure, but we couldn’t prevent the attacker from intercepting a small number of files and information that they should not have had access to.”

The company’s reaction

Fox-IT’s SOC had noticed that a number of scans for weaknesses on their infrastructure were made in the days leading up to the attack, but they did not follow up on that because they considered them as regular “background noise on the internet.”

But once they detected the intrusion – some five hours after the attack started – they disabled the text message-based 2FA for the ClientPortal, which prevented legitimate users from logging in and sending files and information, and those being intercepted.

“Other than that, we kept ClientPortal functional in order not to disclose to the attacker that we knew what they were doing, and to give ourselves more time to investigate,” the company explained.

“This allowed us to better understand the modus operandi and scope of the attack before taking specific actions to mitigate it, an approach which is standard operating procedure for our CERT team. From that moment on, nobody could log in, effectively preventing traffic to our ClientPortal from being intercepted. Note that this did not directly stop the attack, but it stopped its effectiveness.”

In the next day or so, they reported the breach to the Dutch Police and the Dutch Data Protection Authority, and notified affected clients. By the afternoon of September 20, the incident was resolved, and the ClientPortal was fully functional again.

Who was affected in the Fox-IT security breach?

Fox-IT made sure to note that the attacker never gained access to any external or internal company system, nor had system level access to the ClientPortal.

The attacker intercepted:

  • Login credentials of nine users (but they were useless without the second authentication factor),
  • A dozen of files (some confidential but none classified as state secret)
  • Several email addresses, phone numbers, and names of accounts in ClientPortal (none of this info is sensitive, in itself, but users were notified of it nevertheless)
  • An unknown number of emails send during the 10 minutes when emails destined for Fox-IT were redirected to an external email provider.

How did the attacker manage to pull-off the attack?

The company’s internal investigation revealed that the attacker has likely gained access to credentials to the DNS control panel of their domain registrar through the compromise of a third party provider.

The company admits that they could have prevented this by regularly changing that password (it has not been changed since 2013 because it was rarely used) and by urging the domain registrar to implement 2FA (or by switching to one that has introduced this additional security measure).

Nevertheless, the company deserves praise for how it handled the breach and its disclosure to affected users, the relevant authorities, and the wider public.