Thursday, February 13, 2025
HomeData BreachLeading IT Security Firm Fox-IT hit by Cyber Attack

Leading IT Security Firm Fox-IT hit by Cyber Attack

Published on

SIEM as a Service

Follow Us on Google News

Worlds Leading IT Security firm Fox-IT hitting by Man-in-the-Middle Cyber Attack and an attacker accessed the DNS records for the Fox-IT.com at their 3 rd party domain register.

This attack leads to spying some small amount of their customer’s activities and this incident has been active the total effective MitM time to 10 hours and 24 minutes.

man-in-the-middle attack is a form of eavesdropping in which an attacker intercepts and relays messages between two parties who are communicating directly with each other.

In this case, Attacker has modified the Fox-IT DNS record and point out to their own server and to intercept and forward the traffic to the original server that belongs to Fox-IT.

Fox-IT client portal was the specific aim for the attacker where Fox-IT used it for an exchange of files with customers, suppliers and other organizations.

Also Read: Beware!! New Spider Ransomware Widely Spreading by using Office Documents

What Happened During this Cyber Attack

First unusual activities triggered on Sept 16, 2017, which contains a reconnaissance with Fox-IT infrastructure including port scans, vulnerability scans, and other scanning activities.

later attacker gain the access to the Fox-IT network and modified the DNS record of the fox-it.com domain.

In this case, Fox-IT believes that client portal still pointed out to Fox-IT legitimate Client portal server but attacker temporarily reroutes the attack and intercepted Fox-IT email for the specific purpose of proving that they owned Fox-IT domain in the process of fraudulently registering an SSL certificate for our ClientPortal.

Sept 19 2017, Fox-IT Experts realized that real MITM attack starts against their server. during this time the fraudulent SSL certificate for ClientPortal was in place and the IP DNS record for clientportal.fox-it.com was changed to point to a VPS provider abroad.

According to Fox-IT investigation, name servers for the fox-it.com domain had been redirected and that this change was not authorized. We changed the DNS settings back to our own name servers and changed the password to the account at our domain registrar

Later Fox-IT disables the two-factor authentication for their client portal to preventing users of ClientPortal from successfully logging in.

Also, Fox-IT kept the portal open to access for the attacker and they concern about not to disclose this activity to the attacker for taking time to investigate more.

“During the meantime of Sept 19 – Sept 20 2017, A full investigation into the incident was undertaken, along with notification of all clients that had files intercepted and the relevant authorities, including the Dutch Data Protection Authority Fox-IT said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical Chrome Flaw Allows Attackers to Remotely Execute Code

Google has released an urgent update for its Chrome browser to address a critical...

Global IoT Data Leak Exposes 2.7 Billion Records and Wi-Fi Passwords Worldwide

A massive security lapse has exposed over 2.7 billion records, including sensitive Wi-Fi credentials,...

Palo Alto PAN-OS Zero-Day Flaw Allows Attackers to Bypass Web Interface Authentication

Palo Alto Networks has disclosed a zero-day vulnerability in its PAN-OS software (CVE-2025-0108), allowing...

Enhancing Threat Detection With Improved Metadata & MITRE ATT&CK tags

The cybersecurity landscape continues to evolve rapidly, demanding more sophisticated tools and methodologies to...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Global IoT Data Leak Exposes 2.7 Billion Records and Wi-Fi Passwords Worldwide

A massive security lapse has exposed over 2.7 billion records, including sensitive Wi-Fi credentials,...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

Threat actors from dark web forums claim to have stolen and leaked 20 million...

Globe Life Ransomware Attack Exposes Personal and Health Data of 850,000+ Users

Globe Life Inc., a prominent insurance provider, has confirmed a major data breach that...