Introducton[Analyzing Quantum Insert Attacks]:
And the Quantum Insert Attack is a classic example of man-in-the-middle attacks that resurfaced in the news among the top 10 leaks from WikiLeaks founder Edward Snowden. The NSA and British intelligence services GCHQ have reportedly successfully used it against OPEC and Belgacom to their advantage. In short – Quantum is the code name for strategically located NSA and GCHQ servers that can respond to a request faster than the intended recipient. An attacker would need monitoring capabilities to successfully attack a victim.Once the quantum servers win the race against the original answer, an attacker can steal sensitive data such as login credentials, bank account information, and credit card numbers, or even spread malware that can work in tandem with the botnet’s C&C server.
Understanding the attack
The attack begins with the attacker gaining monitoring capabilities into the victim’s network. In the case of a government-sponsored attack, ISPs can gain monitoring capabilities, and in the case of cyber-espionage, they have access within the network they are trying to move inside. This kind of attack is generally not used for large-scale attacks, instead the attacker is very aware of their target and the most frequently used websites. In the past, Snowden leaks have revealed that LinkedIn and Slashdot users have been targeted. The core of the attack is to win a race against legitimate response packets. The schematic diagram given here will help you understand better:
Step 1:
STEP 2:
STEP 3:
In the schematic diagram above, we can see that the attacker is waiting on the network for the target to initiate a connection to a specific website. Each quantum server is configured to meet certain conditions. Once any request from the target meets this set of conditions, the attacker is notified of the request from the target. Quantum servers will then send a response to the victim’s original request. The victim receives a malicious payload and the attacker can have full control over the victim. The original response packets from the site are discarded.
Attack simulation
To simulate a Quantum Insert attack, we would need three virtual machines:
- One VM will act as a victim
- The second VM will be used to monitor traffic
- The third will be used to drop a damaging payload on the victim.
The proof-of-concept code for the simulation is available for download here:
[download]
Although details on how to use the script are provided on the github page, let me repeat them here for quick reference.
The attacker knows that the victim is visiting mysite.com and configures his monitor.py to notify the attacker when certain conditions are met. In our case, the conditions are as follows:
- The victim visits mysite.com
- We need a SYN+ACK from mysite.com
When this information is obtained via tcpdump (the output of which is analyzed by monitor.py), the shooter is alerted. Shooter depends on Scapy to create packets (with details in the header but with a different payload) to be sent to the victim. The only challenge here is to have a privileged position in the backbone of the Internet, to win the race.
How QI works in real time
I. Foot print
Agencies such as the NSA and GCHQ grab hold of a choke point in the Internet’s backbone and try to capture the identities of users from the organization being targeted. Codenamed TURMOIL, the project captures network dumps and feeds them to traffic analysis tools like Xkeyscore, which automate packet analysis.
II. Create user profiles
Tools like Xkeyscore can be used to look for patterns in network traffic to help identify multiple attack points. The types of data that are captured include web history, email traffic, chat logs, etc. In the particular case of the QI attacks on OPEC, this phase appears to have lasted several years.
III. Attack the target
Once the attack points are profiled, a monitor on the choke of the Internet backbone informs the gunner when any requirements that meet all conditions are met. In the Belgacom hack, GCHQ used a QI attack to route traffic for LinkedIn and Slashdot to malicious servers posing as those sites.
IV. Keep the attitude and persevere
Once the attack is successful, it is the same old mundane post-exploitation tasks where the attacker tries to escalate privileges and move laterally within the network in stealth mode to obtain sensitive data and other network resources such as mail servers, file servers, etc. which are then exfiltrated to data analytics experts.
Detection of QI attacks
- QI attacks work by forging packets in response to a request to a specific site. One packet in response to a GET request from the victim contains the content of the real website and the next packet will contain the content of the malicious website. However, both of these packets must have the same sequence numbers, which will give them away when detecting QI attacks.
- Another anomaly to note is the TTL value of the packet. Spoofed packets would contain a significant difference in TTL values than real packets due to the closer proximity of the attacker to the victim.