One of the NSA tools that Edward Snowden brought to light is called QUANTUMINSERT, and it’s particularly noted for its sophistication and stealthiness. It’s a type of man-on-the-side attack, which is similar to man-in-the-middle. QUANTUMINSERT works best on computers that can’t be accessed through regular phishing attacks.
It works by hijacking a browser as it attempts to access a web page and forces it to visit a malicious web page, instead of the one that the browser was originally trying to reach. The attacker, in this case the NSA can then secretly download malware into the target’s computer from the fake web page.
To make this happen, leaked documents published by The Intercept revealed that this requires these security agencies to have servers, codenamed FoxAcid, near the target computer, and they need to be able to quickly access browser traffic so they can send the malicious web page before the real web page can be accessed.
In order to discover these high-speed attacks, a person would need to analyze the packets that are sent to a browser in response to its GET request. One of the packets contains the content for the malicious web page, and another packet will contain the content from the real web page. The trick lies in the fact that these two packets have the same sequence number, which is a red flag to security researchers.
As far as anyone knows, QUANTUMINSERT has been used against computers of suspected terrorists in the Middle East, but controversially it was also used in a joint GCHQ/NSA operation against employees of Belgacom and OPEC workers. Trumpeted as “highly successful” according to the NSA’s own internal documents, this allowed the NSA to put 300 counts of malware onto these computers in 2010 without being detected.
However, security researchers working with Fox-IT in the Netherlands – who investigated the Belgacom hack – have figured out a way to detect QUANTUMINSERT attacks using conventional tools like Snort, Bro and Suricata. The researchers planned to discuss their efforts at the RSA Conference in San Francisco, which happened on April 22. For more information they wrote a blog post that covers more of the technical details, and since released custom patches for Snort. The researchers have also uploaded their packet captures to GitHub to show how they did it.