Analyzing Quantum Insert Attacks
A Quantum Insert Attack is a classic example of man-in-the-middle attacks which resurfaced into news among the top 10 biggest leaks by WikiLeaks founder Edward Snowden. The NSA and Britain’s GCHQ intelligence services allegedly used it against OPEC and Belgacom successfully for their benefit. In short – Quantum is a code name for the servers which are strategically placed by NSA and GCHQ that can respond faster to a request than the intended recipient. The attacker would need monitoring capabilities to successfully attack the victim. Once the quantum servers win the race condition against the original response, the attacker can steal sensitive data like login credentials, bank account details, and credit card numbers or even spread a malware which can work in tandem with a botnet C&C server.
Understanding the attack
The attack begins with the attacker gaining monitoring capabilities into the victim’s network. In a government sponsored attack, the monitoring capabilities can be gained by Internet Service Providers and in the case of cyber espionage crimes, having access within a network looking to move laterally inside. This kind of attack is generally not used for large scale attacks, instead the attacker is very well aware of his target and most frequently used websites. In the past, Snowden leaks revealed that LinkedIn and Slashdot users have been targeted for attacks. The crux of the attack is in winning the race condition against the legitimate response packets. The schematic diagram here will help you understand better:
In the above schematic diagram, we see that the attacker waits on the network for the target to initiate a connection with a particular website. Each quantum server is configured so that certain conditions are met. Once any request from the target fulfills this set of conditions, the attacker is notified of the request from the target. The quantum servers then shoot a response to the original request by the victim. The victim receives the malicious payload, and the attacker can have full control of the victim. The original response packets from the website are discarded.
Simulating the attack
To simulate the Quantum Insert attack, we would require three VMs:
- One VM will act as a victim
- Second VM will be used to monitor the traffic
- Third will be used to shoot a malicious payload to the victim.
The proof-of-concept code for simulation is available to be downloaded here:
Though the details of use for the script is given in the github page, let me re-iterate them here for quick reference.
The attacker knows that the victim frequents mysite.com and configures his monitor.py to notify the shooter on matching certain conditions. In our case the conditions are as follows:
- Victim visits mysite.com
- We need SYN+ACK of mysite.com
On getting this information via tcpdump (whose output is parsed by monitor.py) the shooter is notified. Shooter has a dependency on Scapy to craft packets (with its header details, but a different payload) to be sent to the victim. The only challenge here is to have a privileged position in the Internet backbone, to win the race condition.
How real time QI works
I. Foot printing
Agencies like NSA and GCHQ catch hold of choke point in the Internet backbone, and try to catch hold of the identity of the users from the organization that is being targeted. The project codenamed as TURMOIL captures the network dumps and passes it to traffic analysis tools like Xkeyscore which automate the packet analysis.
II. Build User Profiles
Tools like Xkeyscore can be used to search for patterns in the network traffic which help in identifying multiple points of attacks. The kinds of data which are captured include web histories, email traffic, chat logs etc. It seems that in a particular case of QI attacks on OPEC, this phase went on for several years.
III. Attack the target
Once the attack points are profiled, the monitor at the choke point of the Internet backbone notifies the shooter when any requests fulfilling all the conditions are met. In the case of the Belgacom hack, GCHQ used QI attack to route the traffic for LinkedIn and Slashdot to malicious servers posing as those sites.
IV. Maintain access and persist
Once the attack is successful, it’s the same old mundane post exploitation tasks where the attacker tries to escalate privileges and laterally move within the network in stealth mode to gain his hands on sensitive data and other network resources like mail servers, file servers etc., which are then exfiltrated to data analysis experts.
Detecting QI attacks
- QI attacks work by spoofing the packets in response to a request to a particular website. One packet in response to a GET request from the victim contains content for the real website, and another packet will contain content for the malicious website. But, both of these packets are bound to have the same sequence numbers, which is a giveaway while detecting QI attacks.
- Another anomaly to be noticed is the TTL value of the packet. The spoofed packets would contain a significant difference in the TTL values than the real packets because of the closer proximity of the attacker to the victim.
Links for QI detection for snort: GitHub
Links for QI PCAPS: GitHub