Netherlands-based cybersecurity firm Fox-IT ended up a victim of a security attack.
The September incident showed the company was a victim of a man-in-the-middle (MitM) attack made possible by DNS records getting changed at its third-party domain registrar.
A law enforcement investigation is ongoing so the company has not shared any information on who might be behind the attack.
The security firm traced the attackers’ initial activities to September 16, when it detected port and vulnerability scanning attempts. Then, on September 19, using compromised credentials, the hackers changed the DNS records for fox-it.com at the company’s service provider, according to Fox-IT post.
The main target was apparently Fox-IT’s ClientPortal, an application used to securely exchange files with customers and suppliers.
For 10 minutes, the attackers also rerouted Fox-IT emails in an effort to demonstrate they owned the company’s domain so they could fraudulently register an SSL certificate for the ClientPortal application.
Shortly thereafter, a rogue SSL certificate ended up used for an MitM attack on ClientPortal, with traffic to the portal routed through a virtual private server (VPS) provider abroad.
Fox-IT noticed the malicious activity after five hours and worked to restore DNS settings and secure its account with the domain registrar. However, due to caching and how DNS works, it took some time for the changes to take effect and the MitM attack was carried out for 10 hours and 24 minutes.
During this time, the attacker managed to intercept the credentials of nine users, one mobile phone number, a “subset” of names and email addresses, ClientPortal account names, and 12 files, including three that contained confidential client information, Fox-IT said. All affected customers are aware of the situation.
The security firm has not been able to determine what other messages the hackers may have intercepted during the 10 minutes while they had control over Fox-IT email.
After discovering the incident, the company said it blocked the attacker from intercepting additional customer information by disabling the two-factor authentication (2FA) mechanism on the ClientPortal application.
Fox-IT believes the attackers likely gained access to its DNS registrar account using credentials leaked following a breach at a third-party service provider. The password had not been changed by the security firm since 2013, and the DNS provider does not offer 2FA, allowing the hackers to easily change DNS records.