Fox-IT, the Netherlands-based cybersecurity firm owned by NCC Group, revealed on Thursday that it had been the victim of a man-in-the-middle (MitM) attack made possible by DNS records getting changed at its third-party domain registrar.
The incident took place back in September and Fox-IT decided to disclose it now after conducting a detailed analysis. A law enforcement investigation is ongoing so the company has not shared any information on who might be behind the attack.
The security firm traced the attackers’ initial activities to September 16, when it detected port and vulnerability scanning attempts. Then, on September 19, using compromised credentials, the hackers changed the DNS records for fox-it.com at the company’s service provider.
The main target was apparently Fox-IT’s ClientPortal, an application used to securely exchange files with customers and suppliers.
For a total of roughly 10 minutes, the attackers also managed to reroute Fox-IT emails in an effort to demonstrate that they owned the company’s domain so that they could fraudulently register an SSL certificate for the ClientPortal application.
Shortly after that, the rogue SSL certificate was used for an MitM attack on ClientPortal, with traffic to the portal routed through a virtual private server (VPS) provider abroad.
Fox-IT noticed the malicious activity after roughly five hours and quickly worked to restore DNS settings and secure its account with the domain registrar. However, due to caching and how DNS works, it took some time for the changes to take effect and the MitM attack was carried out for 10 hours and 24 minutes.
During this time, the attacker managed to intercept the credentials of nine users, one mobile phone number, a “subset” of names and email addresses, ClientPortal account names, and 12 files, including three that contained confidential client information, Fox-IT said. All affected customers have been notified.
The security firm has not been able to determine what other messages the hackers may have intercepted during the 10 minutes while they had control over Fox-IT email.
After discovering the incident, the company said it blocked the attacker from intercepting additional customer information by disabling the two-factor authentication (2FA) mechanism on the ClientPortal application. By disabling 2FA, Fox-IT prevented customers from logging in to their account – 2FA is mandatory on the portal – but avoided letting the attackers know that the intrusion had been detected in an effort to continue observing their actions.
Fox-IT believes the attackers likely gained access to its DNS registrar account using credentials that were leaked following a breach at a third-party service provider. The password had not been changed by the security firm since 2013, and the DNS provider does not offer 2FA, allowing the hackers to easily change DNS records.
“The use of full packet capture and CTMp network sensors was crucial in determining the scope of the attack,” Fox-IT said in a blog post. “We could, within a few hours of finding out about the attack, determine exactly who was affected and what the scope of the attacker was. This helped us to understand the incident with confidence and to quickly notify those directly affected and the Dutch Data Protection Authority.”
It’s not uncommon for cybersecurity firms and their employees to be targeted by hackers. For example, Kaspersky and Avast’s CCleaner were breached by sophisticated actors, while Bitdefender and FireEye were targeted by individuals who made exaggerated claims.