Adversary-in-the-Middle Attacks Explained and How to Prevent Them

Imagine you’re in the middle of a crucial conversation, and suddenly, an unseen intruder starts manipulating your words and stealing your secrets. This isn’t a scene from a spy movie, it’s the reality of an adversary-in-the-middle attack.

Adversary-in-the-middle (AiTM) attacks, also known as man-in-the-middle (MiTM) attacks or on-path attacks, are a growing threat that can take multiple forms and enable various types of cyber-attacks.

In simple terms, an AiTM incident occurs when an attacker covertly intercepts and potentially modifies the communications between two parties.

Both parties believe they are communicating directly with each other, but the attacker has inserted themselves into the conversation.

According to the nonprofit MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge framework (MITRE ATT&CK), AiTM is often conducted to support follow-on behaviours such as network sniffing, data manipulation, payload injection or replay attacks.

Today, AiTM can be used in a wide range of cases, including financial fraud and transaction manipulation, cyber espionage, data theft and privacy invasion.

A common AiTM attack scenario involves eavesdropping, where the attacker listens in on communication to gather sensitive information like passwords or financial details.

Another scenario, session hijacking, refers to the attacker taking control of an ongoing session between two parties, gaining unauthorized access to data or resources.

Finally, a third scenario consists in the attacker pretending to be one or both parties involved in the communication, leading to deception and unauthorized data disclosure. This is commonly called spoofing.

The most notable types of AiTM attacks include:

• Adversary-in-the-browser (AiTB) Attack: Malware modifies browser activity, intercepting or altering transactions in real-time
• Address Resolution Protocol (ARP) Spoofing: Sends fraudulent ARP messages to link the attacker’s MAC address with a target IP, capturing local network traffic
• Domain Name System (DNS) Spoofing/Poisoning: Redirects DNS queries to malicious servers, leading victims to counterfeit websites
• Email Hijacking: Intercepts email exchanges to manipulate or steal sensitive information
• Fake Certificate Authority (CA): Uses a bogus CA to sign counterfeit certificates, deceiving victims into trusting malicious connections
• HTTPS Spoofing: The attacker deceives the victim into thinking their connection is secure by using a counterfeit SSL/TLS certificate
• Session Hijacking: Captures session cookies or tokens to impersonate a legitimate user during an active session
• SSL/TLS Stripping: Converts HTTPS traffic to HTTP, allowing the attacker to intercept and read the unencrypted data
• Wi-Fi AiTM (aka Evil Twin Attack): Sets up a fake Wi-Fi hotspot to intercept communications from connected devices

ADVERTISEMENT

According to MITRE ATT&CK, monitoring specific signals can help detect an AiTM attack.

These signals include:

• Application logs (e.g. changes in settings and other events associated with network protocols and other services are common during an AiTM attack)
• Network traffic, as anomalies can be associated with known AiTM behaviour (e.g. network traffic originating from unknown/unexpected hardware devices)
• Newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045
• HKLM\Software\Policies\Microsoft\Windows NT\DNSClient, as changes to the "EnableMulticast" DWORD value could be a sign of AiTM attack

Some methods to prevent becoming a victim of an AiTM attack include:

• Using two-factor authentication (2FA) across your network and services
• Implementing strong encryption for data in transit and adopting secure communication protocols like HTTPS and VPNs can protect against eavesdropping and data interception
• Implement public key infrastructure (PKI) across your network to establish trusted communication channels and verify the identity of communication parties
• Using traffic analytical tools on the network
• Segmenting your network
• Using certificate pinning on mobile apps
• Integrating email security
• Never connecting to an unknown Wi-Fi hotspot

Enjoyed this article? Make sure to share it!

Looking for something else?