It’s taken more than five years for justice to be served in this case, but the cops and the courts got there in the end.
The UK law enforcement office SEROCU, short for South East Regional Organised Crime Unit, this week reported the peculiar tale of one Ashley Liles, the literal Man in the Middle whom we referred to in the headline.
These days, we usually expand the jargon term MitM to mean Manipulator in the Middle, not merely to avoid the gendered term “man”, but also because many, if not most, MitM attacks these days are performed by machines.
Some techies have even adopted the name Machine in the Middle, but we prefer “manipulator” because we think it usefully decribes how this sort of attack works, and because (as this story shows) sometimes it really is man, and not a machine, in the middle.
A MitM attack depends on someone or something that can intercept messages sent to you, and modify them on the way through in order to deceive you.
The attacker typically also modifies your replies to the original sender, so that they don’t spot the deception, and get sucked into the trickery along with you.
As you can imagine, cryptography is one way to avoid MitM attacks, the idea being that if the data is encrypted before it’s sent, then whoever or whatever is in the middle can’t make sense of it at all.
The attacker would not only need to decrypt the messages from each end to figure out what they meant, but also to re-encrypt the modified messages correctly before passing them on, in order to avoid detection and maintain the treachery.
One classic, and fatal, MitM tale dates back to the late 1580s, when spymasters of England’s Queen Elizabeth I were able to intercept and manipulate secret correspondence from Mary, Queen of Scots.
Mary, who was Elizabeth’s cousin and political arch-rival, was at the time under strict house arrest; her secret messages were apparently smuggled in and out in beer barrels delivered to the castle where she was detained.
Fatally for Mary, Queen Bess’s spymasters were not only able to intercept and read Mary’s messages, but also to send falsified replies that lured Mary into putting sufficient details in writing to cook her own goose, as it were, revealing that she was aware of, and actively supported, a plot to have Elizabeth assassinated.
Mary was sentenced to death, and executed in 1587.
Fast forward to 2018
This time, fortunately, there were no assassination plans, and England abolished the death penalty in 1998.
But this 21st-century message interception crime was as audacious and as devious as it was simple.
A business in Oxford, England, just north of Sophos (we’re 15km downriver in Abingdon-on-Thames, in case you were wondering) was hit by ransomware in 2018.
By 2018, we had already entered the contemporary ransomware era, where criminals breaking into and blackmail entire companies at a time, asking for huge sums of money, instead of going after tens of thousands of individual computer owners for $300 each.
That’s when the now-convicted perpetrator went from being a Sysadmin-in-the-Affected-Business to a Man-in-the-Middle cybercriminal.
While working with both the company and the police to deal with the attack, the perpetrator, Ashely Liles, 28, turned on his colleagues by:
- Modifying email messages from the original crooks to his bosses, and editing the Bitcoin addreses listed for the blackmail payment. Liles was thereby hoping to intercept any payments that might be made.
- Spoofing messages from the original crooks to increase the pressure to pay up. We’re guessing that Liles used his insider knowledge to create worst-case scenarios that would be more believable than any threats that original attackers could have come up with.
It’s not clear from the police report exactly how Liles intended to cash out.
Perhaps he intended simply to run off with all the money and then act as though the encryption crook had cut-and-run and absconded with the cryptocoins themselves?
Perhaps he added his own markup to the fee and tried to negotiate the attackers’ demand down, in the hope of clearing a massive payday for himself while nevertheless acquiring the decryption key, becoming a hero in the “recovery” process, and thereby deflecting suspicion?
The flaw in the plan
As it happened, Liles’s dastardly plan was ruined by two things: the company didn’t pay up, so there were no Bitcoins for him to intercept, and his unauthorised fiddling in the company email system showed up in the system logs.
Police arrested Liles and searched his computer equipment for evidence, only to find that he’d wiped his computers, his phone and a bunch of USB drives a few days earlier.
Nevertheless, the cops recovered data from Liles’s not-as-blank-as-he-thought devices, linking him directly to what you can think of as a double extortion: trying to scam his employer, while at the same time scamming the scammers who were already scamming his employer.
Intriguingly, this case dragged on for five years, with Liles maintaining his innocence until suddenly deciding to plead guilty in a court hearing on 2023-05-17.
(Pleading guilty earns a reduced sentence, though under current regulations, the amount of “discount”, as it is rather strangely but officially known in England, decreases the longer the accused holds out before admitting they did it.)
What to do?
This is the second insider threat we’ve written about this month, so we’ll repeat the advice we gave before:
- Divide and conquer. Try to avoid situations where individual sysadmins have unfettered access to everything. This makes it harder for rogue employees to concoct and execute “insider” cybercrimes without co-opting other people into their plans, and thus risking early exposure.
- Keep immutable logs. In this case, Liles was apparently unable to remove the evidence showing that someone had tampered with other people’s email, which led to his arrest. Make it as hard as you can for anyone, whether insider or outsider, to tamper with your official cyberhistory.
- Always measure, never assume. Get independent, objective confirmation of security claims. The vast majority of sysadmins are honest, unlike Ashley Liles, but few of them are 100% right all the time.
ALWAYS MEASURE, NEVER ASSUME
Short of time or expertise to take care of cybersecurity threat response?
Worried that cybersecurity will end up distracting you from all the other things you need to do?
Take a look at Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response ▶
LEARN MORE ABOUT RESPONDING TO ATTACKS
Once more unto the breach, dear friends, once more!
Peter Mackenzie, Director of Incident Response at Sophos, talks about real-life cybercrime fighting in a session that will alarm, amuse and educate you, all in equal measure. (Full transcript available.)
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
8 comments on “Ransomware tales: The MitM attack that really had a Man in the Middle”
Gendered language never hurt anyone. I am very glad to see “Man in the Middle” in a headline again!
Well, it *was* a man in the middle in this case.
In the technical world, there are many terms that at least some people find offensive or unappealing for some reason (e.g. due to gender or race or social class or a lingering sense of moral ugliness) for which there is an alternative that is not only culturally unexceptionable *but also self-descriptive, easier to understand and more useful*.
(Two ultraobvious examples are the words allowlist and blocklist, which are better as cybersecurity nouns than their precursors “whitelist” and “blacklist” in every conceivable way, not least because they actually mean exactly what they say.)
I prefer manipulator-in-the-middle because it fits the abbreviation MitM fine, while actually helping you remember what it means. The term “man in the middle” is confusing, notably to second-language English speakers, because it clashes with the metaphor of “being stuck in the middle” of something, which implies a situation very different indeed from being a sneaky little eavesdropper!
So when anyone complains that technical jargon term X isn’t woke enough or isn’t thoughtful or makes some people feel uneasy or insulted…
…I generally take it as a reason to find an alternative term that is just better all round. (Jargon is often annoying enough anyway, even when no one feels triggered by it.)
English isn’t short of words, and we don’t have a Language Komissariat or an Academie Anglaise to stop us making up new ones :-)
Some people have figured out that they can take advantage of others by claiming things are offensive or unappealing when they’re not. Our good nature makes us want to accommodate them, but we should resist it, because it’s really just them trying to get us used to being controlled.
Not an excuse for discriminating, fascist or racist language. Also not sure where the *advantage* comes in. Personally, I prefer “awake” or “enlightened” to “woke”.
Language can be used to perpetuate embedded discrimination; calling out such abuse is a public service.
And it often leads to a clearer, better word anyway. For example, in cricket the bowler was always just the bowler but the batter was, for some reason, the batsman. Which was truly confusing if it was a women’s game, and the gendered way to fix the confusion would be the heck-of-a-word batswoman (yet there would be no matching word bowlswoman).
Thus the word batter was adopted and cricketing vocabulary was improved in several ways, notably for beginners to the game, given that the words bowler and batter form a mellifluous pair of well-matched nouns that neatly contrast the two roles.
I really don’t think that I am “being controlled” simply because I am sometimes willing to change my vocabulary, especially when I prefer the “new” word on offer, which is usually one we’ve had for ages anyway.
(Baseball, FWIW, has always used the noun “batters” to describe those who are batting, to align with “pitcher” for the person who is hurling the ball at said batters.)
Hurt! Hurt! Just joking.
But seriously, automatically referring to e.g. leaders or other professions by gender, where there is a large gender discrepancy may lead to children assuming these professions are reserved for that gender.
Languages such as German are particularly insidious with gendered professions (Bundesrat, Bundesratin – male federal minister , female federal minister).
“Try to avoid situations where individual sysadmins have unfettered access to everything.”
This is really true. Unfortunately, in most smaller companies, all they have is 1 system administrator. Sometimes, there is also an assistant who checks on PC & Laptop issues.
True. Or a small biz could outsource their IT and have to accept the controls that the outsourcer has in place.