THREAT INTEL: Mac and Windows users infected by software updates delivered over hacked ISP

Helping keep European SMEs CYBERSafe!
Gibraltar: Tuesday 06 August 2024 at 12:50 CET

THREAT INTEL: Mac and Windows users infected by software updates delivered over hacked ISP

By Andy Jenkinson – Guest Contributor |  Group CEO Cybersec Innovation Partners
via CYBERInsights
First for SME Cybersecurity News

#CyberInsights #SMECybersecurityNews #Cybersecurity #WhitethornShield #InternetSecurity #DNS #PKI

DNS poisoning attack worked even when targets used DNS from Google and Cloudflare.

Hackers or a more appropriately Cybercriminals delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections.

The attack, researchers from security firm Volexity said,

“Worked by hacking routers or similar types of device infrastructure of an unnamed ISP.”

The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.

Because the update mechanisms didn’t use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 rather than the authoritative DNS server provided by the ISP.