T1638 Adversary-in-the-Middle
Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as Transmitted Data Manipulation or Endpoint Denial of Service.
Adversary-in-the-Middle can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic.
Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning.
If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.
| Item | Value |
|---|---|
| ID | T1638 |
| Sub-techniques | |
| Tactics | TA0035 |
| Platforms | Android, iOS |
| Version | 2.1 |
| Created | 05 April 2022 |
| Last Modified | 15 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0288 | KeyRaider | Most KeyRaider samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.2 |
| S0407 | Monokle | Monokle can install attacker-specified certificates to the device’s trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.3 |
| S1062 | S.O.V.A. | S.O.V.A. has included adversary-in-the-middle capabilities.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1009 | Encrypt Network Traffic | Applications that properly encrypt network traffic may evade some forms of AiTM behavior. |
| M1006 | Use Recent OS Version | Recent OS versions have made it more difficult for applications to register as VPN providers. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | Protected Configuration |
| DS0029 | Network Traffic | Network Connection Creation |
| DS0042 | User Interface | Permissions Request |
References
-
ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. ↩
-
Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016. ↩
-
Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. ↩