A man-in-the-middle (MitM) attack is a type of cyberattack where a hacker intercepts data transferred between two parties.
Wiz Experts Team
7 minutes read
A man-in-the-middle (MitM) attack is a type of cyberattack where a hacker intercepts data transferred between two parties. This lets the attacker control the communication, tricking the legitimate parties on both ends into believing that their communication is secure and uninterrupted.
The goal is usually to eavesdrop, redirect or modify communications, steal sensitive personal or financial information (such as login credentials or credit or debit card numbers), or carry out denial-of-service (DOS) attacks and advanced persistent threat (APT) assaults.
Imagine an instance where a threat actor inserts themselves between an online banking customer and their bank app. As the customer logs into the app and attempts to make a wire transfer, the MitM eavesdrops on the conversation. The threat actor may collect the user’s login credentials and transfer PIN for later use, or they may modify the communication to redirect the funds transfer to their own bank accounts.
MitM attacks typically involve two distinct phases: interception and decryption:
Phase 1: Interception
This is the phase when an attacker inserts themselves between a client and a server to interrupt network traffic and data transfer. To conduct the interception phase, the attacker exploits vulnerabilities in the target networks, such as insecure public Wi-Fi hotspots, unverified website certificates, and exposed encryption/decryption keys.
The attacker scans the target networks for insecure connections or browser vulnerabilities using open-source reconnaissance tools, such as network sniffing software (e.g., Ettercap or Wireshark). Once a vulnerability is found, the attacker uses interception techniques like phishing, spoofing, and session hijacking to gain unauthorized access to the network path. They then hijack data packets to read or change client requests and server responses.
Phase 2: Decryption
Networks that are secured with bi-directional secure sockets layer or transport layer security (SSL/TLS) certificates have encrypted communication. After intercepting data on these networks, the attacker must decrypt the data—without alerting either party—to be able to read or manipulate it. Common decryption methods include HTTPS spoofing and SSL hijacking.
Attackers may find it easier to decrypt secure communications if SSL is unidirectional or if weak cryptography is used. (If the intercepted server-to-client communication is unencrypted—for example, if HTTP, Telnet, or other unsecured protocols are utilized—then this phase is unnecessary.) After achieving the initial goal of collecting credentials, or planting malware for advanced attacks, the attacker exits the communication channel.
As we’ve seen, MitM attackers deploy various techniques to intercept, hijack, and decrypt packets before they reach their destination. Let’s take a closer look.
Interception methods
Some interception techniques involve contact with victims’ devices, and others involve the use of readily available interception tools:
Wi-Fi eavesdropping: Attackers can eavesdrop on Wi-Fi networks by attaching packet sniffers to unsecured Wi-Fi hotspots. The insecure Wi-Fi network may be a public or private network with weak passwords that the attacker cracks using password cracking software (e.g., John the Ripper). Or it may be a Wi-Fi network owned by the malicious actor and disguised as a free, public network. The moment unsuspecting victims connect to unsecured hotspots, the attacker becomes an MitM, able to access all their communications.
Phishing: Also known as email hijacking, cyberactors trick unsuspecting users into opening malicious emails or clicking on malicious links in order to install spyware on their devices or redirect them to fake websites where their sensitive information is retrieved. For example, a threat actor, disguised as an ecommerce website frequented by a user, sends them an email containing links to supposedly discounted products. The user clicks on the link, which automatically redirects them to a suspicious web page. Even if they close the web page, it’s too late—MitM spyware is already installed on their phone or laptop.
Session hijacking: Also referred to as cookie hijacking, this technique involves scraping or sniffing browser cookies containing tokens and saved passwords. The tokens are then used to intercept login sessions or steal login credentials from either of the two parties at the end of the communication channel.
DNS spoofing, also known as DNS cache poisoning, involves corrupting the DNS (Domain Name System) query process. DNS spoofing can be considered a specific technique that might be used in the broader context of a MitM attack. By manipulating DNS responses, an attacker can redirect a victim’s traffic through a device or server controlled by them, effectively placing themselves "in the middle" of the communication. Once the traffic is redirected, the attacker can monitor, collect, or alter the data transmitted between the victim and what they believe is a legitimate site.
ARP spoofing, also known as ARP poisoning, is another technique that can facilitate Man-in-the-Middle (MitM) attacks. ARP spoofing is a direct method to perform MitM attacks within a local network. Once the attacker has successfully associated their MAC address with the IP address of a target device (e.g., a gateway or server), they can intercept, modify, or redirect the traffic between two devices without their knowledge.
Decryption methods are the techniques that threat actors use to hijack and read encrypted client-to-server communication. They include
HTTPS spoofing: Also known as homograph attacks, Hypertext Transfer Protocol Secure (HTTPS) spoofing starts with a victim who requests to securely connect to a website. In response, a hacker sends the victim a hoax certificate that belongs to a lookalike but malicious version of the target website. The victim’s browser verifies the certificate, believing it to be a trusted site, which then allows the cyberattacker to decrypt the communication.
SSL hijacking: In SSL hijacking, the cybercriminal intercepts SSL/TLS network traffic and sends fake SSL certificates to both the client and server during a TCP handshake. This allows the attacker to impersonate the server, force victims to connect to unsecured websites, and control the session.
SSL stripping: SSL stripping occurs when a hacker intercepts TLS authentications sent from servers to clients in order to downgrade HTTPS to HTTP connections. This way, the victim is directed to an unencrypted version of the target app, ensuring all server-to-client communication is fully visible to the attacker.
BEAST attacks: Browser Exploit Against SSL/TLS (BEAST) attacks target older SSL/TLS version vulnerabilities that allow threat actors to infect victims’ computers with malicious JavaScript in order to decrypt cookies and obtain authentication tokens.
AWS EKS Access Entries and Policies vulnerabilities
In early 2024, AWS optimized identity access management for its managed Kubernetes service. Though the update streamlined access to users/roles in EKS clusters and their corresponding storage buckets, the Wiz Research team discovered that it could lead to lateral movement and other access-related vulnerabilities which can give MitM attackers leverage in an enterprise’s Kubernetes environment.
The 2022 Office 365 attack
In 2022, the Lapsus$ hacking group conducted a massive MitM attack that affected 10,000 Office 365 enterprise users. The group deployed various tactics, including phishing attacks, credential sniffing, account hijacking, and HTML redirection to gain unauthorized access to targets’ networks and Office accounts.
Preventing MitM attacks requires a combination of practical steps and security tools, including the following:
Preventing Man-in-the-Middle (MitM) attacks requires a multi-layered security approach, focusing on encryption, authentication, network security, and user awareness. Implementing these best practices can significantly reduce the risk of MitM attacks:
1. Use Strong Encryption
Implement HTTPS: Ensure all web traffic is encrypted by using HTTPS instead of HTTP. Utilize HSTS (HTTP Strict Transport Security) to force browsers to use secure connections.
Encrypt Data: Use strong encryption for data at rest and in transit. This includes using secure protocols like TLS (Transport Layer Security) for web and email, SSH (Secure Shell) instead of Telnet for remote access, and VPNs (Virtual Private Networks) for secure remote access.
2. Secure Network Infrastructure
Secure Wi-Fi Networks: Use WPA3 encryption for Wi-Fi networks. Hide SSID broadcasts and disable WPS (Wi-Fi Protected Setup) to make it harder for attackers to find and exploit your network.
Use VPNs: Employ VPNs for secure access to corporate networks, especially for remote work, to ensure that data is encrypted over potentially insecure networks like public Wi-Fi.
3. Authentication and Access Control
Strong Authentication: Implement multi-factor authentication (MFA) for accessing sensitive systems and data to add an additional layer of security beyond just passwords.
Digital Certificates: Use digital certificates for servers and clients to authenticate devices and users, ensuring that communications are with legitimate entities.
Regularly Update Passwords: Encourage or enforce regular password changes and use of strong, unique passwords.
4. Network Monitoring and Protection
Monitor Network Traffic: Use intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor for unusual network traffic patterns or unauthorized access attempts.
Secure DNS: Implement DNSSEC (DNS Security Extensions) to protect against DNS spoofing by ensuring the authenticity of DNS responses.
ARP Spoofing Protection: Employ security features like Dynamic ARP Inspection (DAI) on switches to prevent ARP spoofing attacks within local networks.
5. User Education and Awareness
Phishing Awareness: Educate users on the risks of phishing attacks, which are often precursors to MitM attacks. Teach them to recognize suspicious emails and links.
Safe Browsing Practices: Encourage the use of secure and reputable websites, especially when entering sensitive information. Look for HTTPS and valid certificates.
6. Software and System Security
Keep Systems Updated: Regularly update all software, including operating systems, applications, and firmware on devices to patch vulnerabilities.
Firewall and Antivirus: Use firewalls to control incoming and outgoing network traffic and antivirus software to protect against malware that could be used in MitM attacks.
MitM attacks occur when cybercriminals interrupt network communication, dividing what should be a direct client-to-server connection into two: one channel between the attacker and the client, and the other between the attacker and the server. Because this allows attackers to read and modify sensitive messages sent over the connection, MitM attacks can have devastating consequences for individuals and organizations.
A reputable, full-stack cloud security solution—like Wiz—is also a critical part of MitM prevention. Wiz provides capabilities to detect and address various cybersecurity threats, including the potential for man-in-the-middle (MITM) attacks. Wiz's comprehensive security posture analysis and threat detection features can help identify anomalies and patterns indicative of such attacks. For instance, Wiz's analysis of network exposure and threat detection rules could uncover unusual network traffic or suspicious activity that might suggest a MITM attack is occurring or has occurred.
Request a demo today to see how Wiz can protect your enterprise and users from MitM attacks.
A single platform for everything cloud security
Learn why CISOs at the fastest growing companies choose Wiz to help secure their cloud environments.
Application detection and response (ADR) is an approach to application security that centers on identifying and mitigating threats at the application layer.
Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.
Secure SDLC (SSDLC) is a framework for enhancing software security by integrating security designs, tools, and processes across the entire development lifecycle.
DAST, or dynamic application security testing, is a testing approach that involves testing an application for different runtime vulnerabilities that come up only when the application is fully functional.
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls.