The evolution of Man-in-the-Middle attacks

The evolution of Man-in-the-Middle attacks

Kevin Bocek at Venafi describes how “man in the middle” attacks are far more common that people realise.

Although less well known than ransomware and malware attacks, Man-in-the-Middle (MitM) attacks are among the most widely used methods available to cybercriminals: according to some estimates, 35 percent of incidents where cyber weaknesses have been exploited involved MitM attacks.

MitM attacks happen when a cybercriminal sits between the connection of two parties. This gives them the ability to covertly intercept or sabotage communications, so they can spy on their victims or obtain their login credentials or other personal information. As such, MitM attacks are a valuable part of the cybercriminal’s toolkit.

As MitM attacks are one of the oldest types of cyber attack, security professionals have found ways of guarding against them over time. Yet as organisations have become increasingly digitised, MitM attack methods have evolved.

From network to endpoint

Traditionally, MitM attacks have been carried out by interfering with legitimate networks, or by setting up a fake network that cybercriminals control. This allows cybercriminals to intercept communications to a user’s network before reaching the target destination. Ordinarily, this involves the attacker executing a ‘passive’ attack, such as setting up malicious Wi-Fi hotspots, and making them available for public use. Once the victim connected to it, the cybercriminal can access any exchange of data on the network. This gives them the ability to decrypt any traffic encrypted with a Transport Layer Security (TLS) certificate, all without the user or application knowing.

However, thanks to advancements in cybersecurity defences, network-based attacks such as these are increasingly difficult to execute. As such, cybercriminals have begun to shift their MitM efforts away from networks, and towards the endpoint. Increasingly, cybercriminals recognise that by exploiting machine identities (such as X.509 digital certificates used for TLS), they can make their activities appear trustworthy and secure. By targeting an individual computer and installing a root Certificate Authority (CA), attackers can generate valid digital certificates that allow them to impersonate any website. The user may be visiting, say, Barclays’ website, but since the root CA is controlled by the bad guys, every encrypted communication the user sends can be intercepted. As the communications are underpinned by a valid machine identity, they appear to be safe and trustworthy, making this method extraordinarily difficult to detect.

The Superfish fiasco was a prime example. In 2015, hardware giant Lenovo shipped devices with advertising software from Superfish, a US-based software developer, pre-installed. The software was used to place adverts into the user’s Google search results that Lenovo wanted them to see. However, for it to work, Lenovo needed the ability to intercept user traffic so that it could advertise to users. It did this by interrupting the certificate chain – the system of trust that machines use to verify online communications – through the use of a ‘self-signed’ certificate; enabling Superfish to appear as a trusted party. This effectively made Superfish the root CA, which ensured that every website the user visited would have a certificate that’s signed and controlled by Superfish. Lenovo’s intentions may not have been malicious, but they gave cybercriminals a blueprint to follow. 


As organisations become increasingly digitised,  we can expect MitM attack methods to evolve once again. Digital transformation is now a priority for organisations of all types, and spending on technologies such as cloud, artificial intelligence and the Internet of Things has skyrocketed, even amidst the challenges of 2020. As a result, the number of machine identities used to secure machine-to-machine connections has grown exponentially.

For MitM attackers, this presents a new opportunity. By following the Superfish method above, cybercriminals can compromise a machine – from a cloud instance to a Kubernetes cluster to an API gateway – that issues commands to others on a network. For instance, were a cybercriminal to install a root CA on a cloud server that communicates with a wide variety of other machines, they could intercept and potentially alter every communication that’s issued. In this way, the concept of ‘Man-in-the-Middle’ becomes ‘Machine-in-the-Middle, and while the latter will be more challenging for cybercriminals, the potential to wreak havoc is huge. For example, what if this method was used to alter commands sent to networks of connected healthcare devices? Or to autonomous vehicles?

Staying in control

The reality is that cybercriminals know all too well that organisations routinely overlook the importance of protecting their machine identities, such as TLS certificates. They know that since every single digital process relies on a machine identity, organisations have thousands of them to look after, and that it only takes one to slip through the cracks for them to take advantage. They know that they can then use machine identities as a weapon, enabling them to subvert machine-to-machine communications while appearing to be trustworthy.

The nightmare scenarios that ‘Machine-in-the-Middle’ attacks might involve remain hypothetical for now. Yet unless organisations begin to understand the importance of protecting their machine identities, it’s only a matter of time until we see one in practice.

Visibility over every single certificate on their networks is the best defence organisations have against this threat. Security teams need access to the right tools to enable certificate discovery and to automate responses to anomalous behaviour. This allows organisations to find and evaluate every certificate to make sure they are secure and automatically remove any that have been compromised. Critically, enterprises need to ensure that issues such as certificate creation, renewal and replacement are automated as much as possible, preventing any certificates from expiring or being forgotten about, which opens the door for their use within MitM attacks.

Kevin Bocek is VP security strategy and threat intelligence at Venafi.

Main image courtesy of

Copyright Lyonsdown Limited 2021

Top Articles

The benefits of external threat hunting

Have you heard of external threat hunting or threat reconnaissance? If you have, you’re in the 1 per cent of the 1 per cent.

From growing supply chain attacks to ransomware gangs putting lives at risk

From ransomware pile-ons to commoditized supply chain TTPs, the threat landscape is set to evolve at a worrying pace in the year ahead.

Restricting company information - hide the truth or lie about it?

It seems like a cliché: a person’s life changes when they’re exposed to a previously concealed or distorted truth. In theory, all information is freely available – and, therefore, is…

Related Articles

[s2Member-Login login_redirect=”” /]