Man-on-the-side attack

Last updated

A man-on-the-side attack is a form of active attack in computer security similar to a man-in-the-middle attack. Instead of completely controlling a network node as in a man-in-the-middle attack, the attacker only has regular access to the communication channel, which allows him to read the traffic and insert new messages, but not to modify or delete messages sent by other participants. The attacker relies on a timing advantage to make sure that the response he sends to the request of a victim arrives before the legitimate response.

Contents

In real-world attacks, the response packet sent by the attacker can be used to place malware on the victim's computer. [1] The need for a timing advantage makes the attack difficult to execute, as it requires a privileged position in the network, for example on the internet backbone. [2] Potentially, this class of attack may be performed within a local network (assuming a privileged position), research has shown that it has been successful within critical infrastructure. [3]

The 2013 global surveillance revelations revealed that the US National Security Agency (NSA) widely uses a man-on-the-side attack to infect targets with malware through its QUANTUM program. [1]

GitHub suffered such an attack in 2015. [4] The Russian Threat Group might have suffered a similar attack in 2019.

Definition

Man-on-the-side has become a more familiarized term after Edward Snowden leaked information about the NSA's quantum insert project. Man-on-the-side attack involves a cyber-attacker in a conversation between two people or two parties who are communicating online. The cyber-attacker is able to intercept and inject messages into the communication between the two parties. [5] However, the cyber-attacker is not able to remove any signals on communication channels. Man-on-the-side attack can be applied to websites while retrieving online file downloads. The cyber-attacker is able to receive signals and perform the attack through a satellite. As long as they have a satellite dish in the place they're residing in, they will be able to read transmissions and receive signals. Satellites tend to have high latency, which gives the cyber attacker enough time to send their injected response to the victim before the actual response from one party reaches the other through the satellite link. [5] Therefore, this is the reason why an attacker relies on timing advantage.

The main difference between man-in-the-middle attack and man-on-the-side-attack is that man-in-the-middle attackers are able to intercept and block messages and signals from transmitting, whilst man-on-the-side attackers are able to intercept and inject messages and signals before the other party receives a legitimate response.

Since man-on-the-side attack requires a strong timing advantage, a reason to why people use Man-on-the-side attack may be explained through their psychological behaviour. Faculty Member from the University of Stavanger, Maria Kjaerland, conducted an exploration study to examine the relationship between different cyber offences and psychological behaviours. [6] She concluded that web compromise is a common activity for hackers attacking targets for challenge because it relies on attackers having accurate timing in leaving messages victims. They can be easily caught if the timing is incorrect and will not be able to make up for it. Therefore, this challenge bears higher consequences amongst other types of attacks. [6] Therefore,  Similarly, man-on-the-side attack also require attackers to rely on having time advantage in order to retrieving and modifying information from victims without them realising or determining what the hacker has done.

Examples

Russia

In 2019, it was reported that man-on-the-side attack might have been conceived by the Russian Threat Group through installing Malwares. When victim used the internet and requested to download a file at a particular website, man-on-the-side attackers who were present were aware that the victims were attempting to download the file. Since the man-on-the-side attackers were not able to prohibit the victim from downloading the file, what they could do was to intercept the server and send a signal to the victim before the victim received a legitimate response, which was the requested download file. [7] The attacker then intercepted and sent the victims a message that directed them to a 302 error site, which led the victim to think that the file has been removed or it simply cannot be downloaded. However, even though the victim would receive a legitimate response from the website file download, since their servers were already contaminated, they would not have been able to view the legitimate website and file sine they received a so-called proper response from the attacking team. [8] At the 302 error site, the attacking team directed the victims to an alternative website to download the files they wanted to, which the attacking team controlled and ran. When the victim connected to the attacking team's server, not known to their knowledge, they would start downloading the file because on the victim's screen, it shows that this site is working and they can finally download the file. [9] However, the attacking team had already found the original file from the legitimate website and modified the file to include pieces of malwares and sent the file back to the victim. When the victim clicked on the link and started downloading the file, they were already downloading a file that consisted of malwares.

China

In 2015, the two GitHub repositories suffered a flooded attack due to man-on-the-side attack. When a user outside of China attempts to browse a Chinese website, they are required to pass the Chinese Internet Infrastructure before automatically being directed to the website. The infrastructure allowed the request to the legitimate Chinese website the user wanted to browse to without any modifications involved. The response came back from the website, but as it passed through the Chinese Internet Infrastructure, before it could get back to the user, the response had been modified. The modification involved a malware that changed the Baidu analytics script from only accessing Baidu to the user-making request to access the two GitHub Repositories as they continued browse the website. [10] The user, who was able to continue browsing the Chinese search engine, Baidu, were innocent since they were absolutely unaware of the fact that their response involved an embedded malicious script, which would make a request to access GitHub on the side. [10] This happened to all users outside of china who was trying to seek access to a Chinese website, which resulted in extremely high volumes of requests being made to the two GitHub Repositories. The enormous load GitHub had to bear had caused the server to flood and was thus attacked.


Related Research Articles

<span class="mw-page-title-main">Denial-of-service attack</span> Cyber attack disrupting service by overloading the provider of the service

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Drive-by download</span> Computer security exploitation

Drive-by download is of two types, each concerning the unintended download of computer software from the Internet:

  1. Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences.
  2. Unauthorized drive-by downloads are downloads which happen without a person's knowledge, often a computer virus, spyware, malware, or crimeware.
<span class="mw-page-title-main">VirusTotal</span> Cybersecurity website owned by Chronicle

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.

SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products, including operating systems Windows 8 and later, the applications Internet Explorer, Microsoft Edge. SmartScreen intelligence is also used in the backend of Microsoft's online services such as the web app Outlook.com and Microsoft Bing search engine.

<span class="mw-page-title-main">Bitmessage</span> Peer-to-peer encrypted communication protocol

Bitmessage is a decentralized, encrypted, peer-to-peer, trustless communications protocol that can be used by one person to send encrypted messages to another person, or to multiple subscribers.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

<span class="mw-page-title-main">Signal (software)</span> Privacy-focused encrypted messaging app

Signal is an encrypted messaging service for instant messaging, voice, and video calls. The instant messaging function includes sending text, voice notes, images, videos, and other files. Communication may be one-to-one between users, or for group messaging.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

XcodeGhost are modified versions of Apple's Xcode development environment that are considered malware. The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code. It was thought to be the "first large-scale attack on Apple's App Store", according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China. Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple, including apps from authors outside China.

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

The Zealot Campaign is a cryptocurrency mining malware collected from a series of stolen National Security Agency (NSA) exploits, released by the Shadow Brokers group on both Windows and Linux machines to mine cryptocurrency, specifically Monero. Discovered in December 2017, these exploits appeared in the Zealot suite include EternalBlue, EternalSynergy, and Apache Struts Jakarta Multipart Parser attack exploit, or CVE-2017-5638. The other notable exploit within the Zealot vulnerabilities includes vulnerability CVE-2017-9822, known as DotNetNuke (DNN) which exploits a content management system so that the user can install a Monero miner software. An estimated USD $8,500 of Monero having been mined on a single targeted computer. The campaign was discovered and studied extensively by F5 Networks in December 2017.

Havex malware, also known as Backdoor.Oldrea, is a RAT employed by the Russian attributed APT group “Energetic Bear” or “Dragonfly." Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

<span class="mw-page-title-main">Web shell</span> Interface enabling remote access to a web server

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

youtube-dl is a free and open source download manager for video and audio from YouTube and over 1,000 other video hosting websites. It is released under the Unlicense software license.

References

  1. 1 2 Gallagher, Ryan; Greenwald, Glenn (12 March 2014). "How the NSA Plans to Infect 'Millions' of Computers with Malware". The Intercept . Retrieved 15 March 2014.
  2. Schneier, Bruce (4 October 2013). "Attacking Tor: how the NSA targets users' online anonymity". The Guardian . Retrieved 15 March 2014.
  3. Maynard, Peter; McLaughlin, Kieran (1 May 2020). "Towards Understanding Man-on-the-Side Attacks (MotS) in SCADA Networks". 17th International Conference on Security and Cryptography (SECRYPT 2020). arXiv: 2004.14334 . Bibcode:2020arXiv200414334M.
  4. Hjelmvik, Erik (31 March 2015). "China's Man-on-the-Side Attack on GitHub". netresec.com. NetreseC. Retrieved 16 April 2020.
  5. 1 2 Mushtaq, Maria et al. 2020. "WHISPER: A Tool For Run-Time Detection Of Side-Channel Attacks." IEEE Access 8:83871-83900.
  6. 1 2 Kjaerland, Maria. 2005. "A Classification Of Computer Security Incidents Based On Reported Attack Data." Journal of Investigative Psychology and Offender Profiling 2(2):105-120.
  7. "Russian Threat Group May Have Devised a 'Man-on-the-Side' Attack". Dark Reading. Retrieved 2020-11-14.
  8. "GitHub DDoS Attack Traces to China". www.bankinfosecurity.com. Retrieved 2020-12-06.
  9. Mozur, Paul (2015-03-30). "China Appears to Attack GitHub by Diverting Web Traffic (Published 2015)". The New York Times. ISSN   0362-4331 . Retrieved 2020-12-06.
  10. 1 2 Albahar, Marwan. 2017. "Cyber Attacks And Terrorism: A Twenty-First Century Conundrum." Science and Engineering Ethics 25(4):993-1008.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.