.svg)
.svg)
Downgrade Attack is a defense evasion technique that adversaries use to intentionally reduce the security posture of a system by forcing it to use weaker protocols, outdated software versions, or less secure configurations. By doing so, attackers can exploit known vulnerabilities, bypass modern security protections, and execute malicious actions with minimal resistance. This technique is particularly dangerous because it allows adversaries to weaken encryption, disable advanced security features, and evade detection by security tools that rely on up-to-date protections.
In this blog post, we explain the T1562.010 Downgrade Attack technique of the MITRE ATT&CK® framework and explore how adversaries employ Downgrade Attack with real-world attack examples in detail.
|
|
|
What is a Downgrade Attack?
In a downgrade attack, adversaries convince the target system to adopt a weaker security protocol or algorithm than the one they are capable of using. Adversaries typically abuse the system's backward compatibility to force them to use an outdated or vulnerable version.
Adversary Use of Downgrade Attack
Using the Downgrade Attack technique, adversaries circumvent updated security controls and force the system into less secure modes of operation. A prime target for such manipulation includes features like Command and Scripting Interpreters, as well as network protocols, which, when downgraded, open avenues for Man-in-the-Middle (MitM) attacks or Network Sniffing.
In the scenario involving Command and Scripting Interpreters, adversaries choose to operate using less-secure versions of interpreters, such as PowerShell. PowerShell versions 5 and above incorporate advanced security features like Script Block Logging (SBL), which records executed script content. However, savvy adversaries may attempt to execute a previous version of PowerShell that lacks support for SBL. This method not only enables them to evade detection but also allows them to impair defenses while executing malicious scripts that would have otherwise been flagged and prevented by the more advanced security controls.
In the context of network protocols, adversaries often downgrade encrypted connections to unsecured counterparts, exposing network data in clear text. For example, they might target the transition from an encrypted HTTPS connection to an unsecured HTTP connection. In doing so, adversaries compromise the confidentiality and integrity of the data in transit.
This downgrade facilitates Network Sniffing, enabling the malicious actor to intercept and analyze sensitive information flowing through the network. By manipulating the security posture of network protocols, adversaries exploit the system's compatibility with less secure options to undermine the inherent protections offered by encryption. For instance, the CVE-2023-48795 vulnerability allows adversaries to launch a prefix truncation attack against SSH protocol. This attack is called the Terrapin Attack and leads to a security downgrade for SSHv2 connections during extension negotiation, causing a MitM attack [1].
One notable case involves the exploitation of vulnerabilities in the Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS). Adversaries leverage weaknesses in these protocols to force a downgrade from more secure versions to older, less secure ones, making it easier to launch attacks such as the well-known POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.
In the POODLE attack, adversaries exploit the SSL/TLS downgrade to perform a padding oracle attack, compromising the confidentiality of encrypted data.
Furthermore, the exploitation of less secure versions of network protocols is evident in the manipulation of Wi-Fi protocols. Adversaries downgrade a Wi-Fi connection from the more secure WPA3 (Wi-Fi Protected Access 3) to the less secure WPA2 (Wi-Fi Protected Access 2) or even WEP (Wired Equivalent Privacy). This not only exposes the network to potential unauthorized access but also allows adversaries to exploit known vulnerabilities associated with the downgraded protocol, such as the susceptibility of WEP to key-cracking attacks. For example, the Dragonblood vulnerability found in the WPA3 protocol allows adversaries to run an offline dictionary attack by sending a downgrade-to-WPA2 request during the 4-way-handshake [2].
In August 2024, CISA reported that the Iranian APT group Fox Kitten lowered PowerShell policies to a less secure level to run malicious commands in compromised systems [3].
Ready to Simulate Real-World Threats From Red Report 2025?
References
[1] C. Jones, "SSH shaken, not stirred by Terrapin vulnerability," The Register. Available: https://www.theregister.com/2023/12/20/terrapin_attack_ssh/
[2] "Dragonblood." Available: https://wpa3.mathyvanhoef.com
[3] "Website." Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
