Fox-IT, the Netherlands-based cybersecurity firm, announced on Thursday that it has suffered a security breach, which ended in some files and emails sent by the organization’s clients to be intercepted by an anonymous attacker.
The attacker was able to access the DNS records for the Fox-IT.com domain at their third-party domain registrar, change them to point to a server in their ownership, and intercept and then forwarded the traffic to the primary server that belongs to Fox-IT. He used a popular type of attack which is called a Man-in-the-Middle (MitM) attack.
According to the company :
The attack was specifically aimed at ClientPortal, Fox-IT’s document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker’s goal was to carry out a sustained MitM attack.
The company has noticed that a number of scans for weaknesses on their infrastructure were made in the days leading up to the attack, but they did not follow up on that because they assumed that was normal.
They detected the attack after roughly five hours and immediately worked to recover DNS settings and secure its account with the domain registrar. But, because of caching and how DNS works, it needed some time for the modifications to take effect and the MitM attack was carried out for 10 hours and 24 minutes.
During this time, the attacker was able to intercept the credentials of 9 clients, one mobile phone number, a “subset” of names and email addresses, ClientPortal account names, and 12 files, including 3 that included secret client data, the company said. All affected customers have been informed.