Ransomware tales: The MitM attack that really had a Man in the Middle

It’s taken more than five years for justice to be served in this case, but the cops and the courts got there in the end.

The UK law enforcement office SEROCU, short for South East Regional Organised Crime Unit, this week reported the peculiar tale of one Ashley Liles, the literal Man in the Middle whom we referred to in the headline.

These days, we usually expand the jargon term MitM to mean Manipulator in the Middle, not merely to avoid the gendered term “man”, but also because many, if not most, MitM attacks these days are performed by machines.

Some techies have even adopted the name Machine in the Middle, but we prefer “manipulator” because we think it usefully decribes how this sort of attack works, and because (as this story shows) sometimes it really is man, and not a machine, in the middle.

MitM explained

A MitM attack depends on someone or something that can intercept messages sent to you, and modify them on the way through in order to deceive you.

The attacker typically also modifies your replies to the original sender, so that they don’t spot the deception, and get sucked into the trickery along with you.

As you can imagine, cryptography is one way to avoid MitM attacks, the idea being that if the data is encrypted before it’s sent, then whoever or whatever is in the middle can’t make sense of it at all.

The attacker would not only need to decrypt the messages from each end to figure out what they meant, but also to re-encrypt the modified messages correctly before passing them on, in order to avoid detection and maintain the treachery.

One classic, and fatal, MitM tale dates back to the late 1580s, when spymasters of England’s Queen Elizabeth I were able to intercept and manipulate secret correspondence from Mary, Queen of Scots.

Mary, who was Elizabeth’s cousin and political arch-rival, was at the time under strict house arrest; her secret messages were apparently smuggled in and out in beer barrels delivered to the castle where she was detained.

Fatally for Mary, Queen Bess’s spymasters were not only able to intercept and read Mary’s messages, but also to send falsified replies that lured Mary into putting sufficient details in writing to cook her own goose, as it were, revealing that she was aware of, and actively supported, a plot to have Elizabeth assassinated.

Mary was sentenced to death, and executed in 1587.

Fast forward to 2018

This time, fortunately, there were no assassination plans, and England abolished the death penalty in 1998.

But this 21st-century message interception crime was as audacious and as devious as it was simple.

A business in Oxford, England, just north of Sophos (we’re 15km downriver in Abingdon-on-Thames, in case you were wondering) was hit by ransomware in 2018.

By 2018, we had already entered the contemporary ransomware era, where criminals breaking into and blackmail entire companies at a time, asking for huge sums of money, instead of going after tens of thousands of individual computer owners for $300 each.

That’s when the now-convicted perpetrator went from being a Sysadmin-in-the-Affected-Business to a Man-in-the-Middle cybercriminal.

While working with both the company and the police to deal with the attack, the perpetrator, Ashely Liles, 28, turned on his colleagues by:

  • Modifying email messages from the original crooks to his bosses, and editing the Bitcoin addreses listed for the blackmail payment. Liles was thereby hoping to intercept any payments that might be made.
  • Spoofing messages from the original crooks to increase the pressure to pay up. We’re guessing that Liles used his insider knowledge to create worst-case scenarios that would be more believable than any threats that original attackers could have come up with.

It’s not clear from the police report exactly how Liles intended to cash out.

Perhaps he intended simply to run off with all the money and then act as though the encryption crook had cut-and-run and absconded with the cryptocoins themselves?

Perhaps he added his own markup to the fee and tried to negotiate the attackers’ demand down, in the hope of clearing a massive payday for himself while nevertheless acquiring the decryption key, becoming a hero in the “recovery” process, and thereby deflecting suspicion?

The flaw in the plan

As it happened, Liles’s dastardly plan was ruined by two things: the company didn’t pay up, so there were no Bitcoins for him to intercept, and his unauthorised fiddling in the company email system showed up in the system logs.

Police arrested Liles and searched his computer equipment for evidence, only to find that he’d wiped his computers, his phone and a bunch of USB drives a few days earlier.

Nevertheless, the cops recovered data from Liles’s not-as-blank-as-he-thought devices, linking him directly to what you can think of as a double extortion: trying to scam his employer, while at the same time scamming the scammers who were already scamming his employer.

Intriguingly, this case dragged on for five years, with Liles maintaining his innocence until suddenly deciding to plead guilty in a court hearing on 2023-05-17.

(Pleading guilty earns a reduced sentence, though under current regulations, the amount of “discount”, as it is rather strangely but officially known in England, decreases the longer the accused holds out before admitting they did it.)

What to do?

This is the second insider threat we’ve written about this month, so we’ll repeat the advice we gave before:

  • Divide and conquer. Try to avoid situations where individual sysadmins have unfettered access to everything. This makes it harder for rogue employees to concoct and execute “insider” cybercrimes without co-opting other people into their plans, and thus risking early exposure.
  • Keep immutable logs. In this case, Liles was apparently unable to remove the evidence showing that someone had tampered with other people’s email, which led to his arrest. Make it as hard as you can for anyone, whether insider or outsider, to tamper with your official cyberhistory.
  • Always measure, never assume. Get independent, objective confirmation of security claims. The vast majority of sysadmins are honest, unlike Ashley Liles, but few of them are 100% right all the time.

    ALWAYS MEASURE, NEVER ASSUME

    Short of time or expertise to take care of cybersecurity threat response?
    Worried that cybersecurity will end up distracting you from all the other things you need to do?

    Take a look at Sophos Managed Detection and Response:
    24/7 threat hunting, detection, and response  ▶


    LEARN MORE ABOUT RESPONDING TO ATTACKS

    Once more unto the breach, dear friends, once more!

    Peter Mackenzie, Director of Incident Response at Sophos, talks about real-life cybercrime fighting in a session that will alarm, amuse and educate you, all in equal measure. (Full transcript available.)

    Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.


go top