Resurgence of AiTM Attacks in Cybersecurity

Divan de Nysschen, Cybersecurity Architect, NEC XON

---

Unmasking AiTM: The Resurgence of Adversary-in-the-Middle Attacks in Cybersecurity
In the dynamic realm of cybersecurity, threats often disappear temporarily, only to evolve and reappear in more sophisticated forms. One such resurgence is the Adversary-in-the-Middle (AiTM) attack, a potent phishing tactic that poses a significant risk to the security of SaaS applications. How should organisations prepare themselves to counter this formidable threat?

AiTM Evolution
While AiTM is not a novel concept, it has undergone a metamorphosis, transforming the tools employed into a potent weapon in the arsenal of cyber adversaries. Initially witnessed in 2017, AiTM are particularly adept at pilfering session tokens - the danger being in AiTM’s resulting ability to circumvent Multi-Factor Authentication (MFA), rendering trusted security measures inadequate. The AiTM attack intercepts authentication between users and a legitimate authentication service to compromise identities, steal credentials and intercept MFA, capturing the session cookie. This stolen session cookie allows attackers to impersonate the user without further intervention, gaining unauthorised access and potentially leading to Business Email Compromise (BEC) attacks.
Modern cyber adversaries use phishing and spear-phishing campaigns to redirect users to fake login pages. Once users enter legitimate credentials and complete the MFA prompt, the attackers save the credentials and session token. The end-user is then redirected to the legitimate login page, automatically logged in without suspecting anything. Tools like Evilginx and new tactics like "EvilQR" (QR code-based attacks) further complicate detection, as entire emails with QR codes are inserted as images, making it challenging for email security solutions to identify the threat.
​
Bolstering cybersecurity measures is no longer an option but a necessity
Recognising the gravity of AiTM attacks, NEC XON implements pivotal security measures to protect against potential breaches. In the face of emerging Tactics, Techniques, and Procedures (TTPs), NEC XON emphasises the need for a proactive approach from Managed Security Service Providers (MSSPs) and cybersecurity professionals worldwide.
As our customers navigate this new era of cyber threats, the call to action is clear – bolstering cybersecurity measures is no longer an option but a necessity. The time to reinforce defences and stay ahead of evolving threats is now. The era of AiTM demands a united front from the global cybersecurity community to ensure a secure digital future. Stay vigilant, stay secure.