Man-on-the-side attack

Last updated

A man-on-the-side attack is a form of active attack in computer security similar to a man-in-the-middle attack. Instead of completely controlling a network node as in a man-in-the-middle attack, the attacker only has regular access to the communication channel, which allows him to read the traffic and insert new messages, but not to modify or delete messages sent by other participants. The attacker relies on a timing advantage to make sure that the response he sends to the request of a victim arrives before the legitimate response.

Contents

In real-world attacks, the response packet sent by the attacker can be used to place malware on the victim's computer. [1] The need for a timing advantage makes the attack difficult to execute, as it requires a privileged position in the network, for example on the internet backbone. [2] Potentially, this class of attack may be performed within a local network (assuming a privileged position), research has shown that it has been successful within critical infrastructure. [3]

The 2013 global surveillance revelations revealed that the US National Security Agency (NSA) widely uses a man-on-the-side attack to infect targets with malware through its QUANTUM program. [1]

GitHub suffered such an attack in 2015. [4] The Russian Threat Group might have suffered a similar attack in 2019.

Definition

Man-on-the-side has become a more familiarized term after Edward Snowden leaked information about the NSA's quantum insert project. Man-on-the-side attack involves a cyber-attacker in a conversation between two people or two parties who are communicating online. The cyber-attacker is able to intercept and inject messages into the communication between the two parties. [5] However, the cyber-attacker is not able to remove any signals on communication channels. Man-on-the-side attack can be applied to websites while retrieving online file downloads. The cyber-attacker is able to receive signals and perform the attack through a satellite. As long as they have a satellite dish in the place they're residing in, they will be able to read transmissions and receive signals. Satellites tend to have high latency, which gives the cyber attacker enough time to send their injected response to the victim before the actual response from one party reaches the other through the satellite link. [5] Therefore, this is the reason why an attacker relies on timing advantage.

The main difference between man-in-the-middle attack and man-on-the-side-attack is that man-in-the-middle attackers are able to intercept and block messages and signals from transmitting, whilst man-on-the-side attackers are able to intercept and inject messages and signals before the other party receives a legitimate response.

Examples

Russia

In 2019, it was reported that man-on-the-side attack might have been conceived by the Russian Threat Group through installing Malwares. When victim used the internet and requested to download a file at a particular website, man-on-the-side attackers who were present were aware that the victims were attempting to download the file. Since the man-on-the-side attackers were not able to prohibit the victim from downloading the file, what they could do was to intercept the server and send a signal to the victim before the victim received a legitimate response, which was the requested download file. [6] The attacker then intercepted and sent the victims a message that directed them to a 302 error site, which led the victim to think that the file has been removed or it simply cannot be downloaded. However, even though the victim would receive a legitimate response from the website file download, since their servers were already contaminated, they would not have been able to view the legitimate website and file since they received a so-called proper response from the attacking team. [7] At the 302 error site, the attacking team directed the victims to an alternative website to download the files they wanted to, which the attacking team controlled and ran. When the victim connected to the attacking team's server, not known to their knowledge, they would start downloading the file because on the victim's screen, it shows that this site is working and they can finally download the file. [8] However, the attacking team had already found the original file from the legitimate website and modified the file to include pieces of malwares and sent the file back to the victim. When the victim clicked on the link and started downloading the file, they were already downloading a file that consisted of malwares.

China

In 2015, the two GitHub repositories suffered a flooded attack due to man-on-the-side attack. When a user outside of China attempts to browse a Chinese website, they are required to pass the Chinese Internet Infrastructure before automatically being directed to the website. The infrastructure allowed the request to the legitimate Chinese website the user wanted to browse to without any modifications involved. The response came back from the website, but as it passed through the Chinese Internet Infrastructure, before it could get back to the user, the response had been modified. The modification involved a malware that changed the Baidu analytics script from only accessing Baidu to the user-making request to access the two GitHub Repositories as they continued browse the website. [9] The user, who was able to continue browsing the Chinese search engine, Baidu, were innocent since they were absolutely unaware of the fact that their response involved an embedded malicious script, which would make a request to access GitHub on the side. [9] This happened to all users outside of china who was trying to seek access to a Chinese website, which resulted in extremely high volumes of requests being made to the two GitHub Repositories. The enormous load GitHub had to bear had caused the server to flood and was thus attacked.


Related Research Articles

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

In computer security, a drive-by download is the unintended download of software, typically malicious software. The term "drive-by download" usually refers to a download which was authorized by a user without understanding what is being downloaded, such as in the case of a Trojan horse. In other cases, the term may simply refer to a download which occurs without a user's knowledge. Common types of files distributed in drive-by download attacks include computer viruses, spyware, or crimeware.

Free Download Manager is a download manager for Windows, macOS, Linux and Android.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many websites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. After successfully stealing appropriate session cookies an adversary might use the Pass the Cookie technique to perform session hijacking. Cookie hijacking is commonly used against client authentication on the internet. Modern web browsers use cookie protection mechanisms to protect the web from being attacked.

<span class="mw-page-title-main">VirusTotal</span> Cybersecurity website owned by Chronicle

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

<span class="mw-page-title-main">Tor (network)</span> Free and open-source anonymity network based on onion routing

Tor is a free overlay network for enabling anonymous communication. Built on free and open-source software and more than seven thousand volunteer-operated relays worldwide, users can have their Internet traffic routed via a random path through the network.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products:

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

Kasidet POS Malware is a variant of Point of Sale (POS) Malware that performs DDoS attacks using Namecoin's Dot-Bit service to scrape payment card details. It is also known as Trojan.MWZLesson or Neutrino and was found in September 2015 by cyber security experts. It is a combination of BackDoor.Neutrino.50 and the POS malware.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

The Zealot Campaign is a cryptocurrency mining malware collected from a series of stolen National Security Agency (NSA) exploits, released by the Shadow Brokers group on both Windows and Linux machines to mine cryptocurrency, specifically Monero. Discovered in December 2017, these exploits appeared in the Zealot suite include EternalBlue, EternalSynergy, and Apache Struts Jakarta Multipart Parser attack exploit, or CVE-2017-5638. The other notable exploit within the Zealot vulnerabilities includes vulnerability CVE-2017-9822, known as DotNetNuke (DNN) which exploits a content management system so that the user can install a Monero miner software. An estimated USD $8,500 of Monero having been mined on a single targeted computer. The campaign was discovered and studied extensively by F5 Networks in December 2017.

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

Agent Tesla is a remote access trojan (RAT) written in .NET that has been actively targeting users with Microsoft Windows OS-based systems since 2014. It is a versatile malware with a wide range of capabilities, including sensitive information stealing, keylogging and screenshot capture. Since its release, this malicious software has received regular updates. It is sold as a malware-as-a-service, with several subscription options available for purchase. Campaigns involving Agent Tesla often start with phishing emails, masquerading as legitimate messages from trusted sources.

References

  1. 1 2 Gallagher, Ryan; Greenwald, Glenn (12 March 2014). "How the NSA Plans to Infect 'Millions' of Computers with Malware". The Intercept . Retrieved 15 March 2014.
  2. Schneier, Bruce (4 October 2013). "Attacking Tor: how the NSA targets users' online anonymity". The Guardian . Retrieved 15 March 2014.
  3. Maynard, Peter; McLaughlin, Kieran (1 May 2020). "Towards Understanding Man-on-the-Side Attacks (MotS) in SCADA Networks". 17th International Conference on Security and Cryptography (SECRYPT 2020). arXiv: 2004.14334 . Bibcode:2020arXiv200414334M.
  4. Hjelmvik, Erik (31 March 2015). "China's Man-on-the-Side Attack on GitHub". netresec.com. NetreseC. Retrieved 16 April 2020.
  5. 1 2 Mushtaq, Maria et al. 2020. "WHISPER: A Tool For Run-Time Detection Of Side-Channel Attacks." IEEE Access 8:83871-83900.
  6. "Russian Threat Group May Have Devised a 'Man-on-the-Side' Attack". Dark Reading. Retrieved 2020-11-14.
  7. "GitHub DDoS Attack Traces to China". www.bankinfosecurity.com. Retrieved 2020-12-06.
  8. Mozur, Paul (2015-03-30). "China Appears to Attack GitHub by Diverting Web Traffic (Published 2015)". The New York Times. ISSN   0362-4331 . Retrieved 2020-12-06.
  9. 1 2 Albahar, Marwan. 2017. "Cyber Attacks And Terrorism: A Twenty-First Century Conundrum." Science and Engineering Ethics 25(4):993-1008.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.