Mac and Windows users targeted: Hackers compromise ISP to deliver malware

Mac and Windows users targeted: Hackers compromise ISP to deliver malware
HIGHLIGHTS

A new cyberattack has targeted both Mac and Windows users.

Attackers gained control of routers and other critical network devices at an unnamed ISP.

They used this access to alter Domain Name System (DNS) responses for legitimate software update sites.

A new cyberattack has targeted both Mac and Windows users by compromising their Internet Service Provider (ISP) and tampering with software updates. Hackers managed to exploit vulnerabilities in ISP infrastructure to distribute malware, affecting a range of popular applications.

Researchers from the security firm Volexity (via Ars Technica) have revealed that the attackers gained control of routers and other critical network devices at an unnamed ISP. They used this access to alter Domain Name System (DNS) responses for legitimate software update sites. This breach impacted at least six applications, including 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and software from Corel and Sogou. The updates were redirected to malicious servers controlled by the attackers.

Also read: Apple 1, Microsoft 0: Why Mac devices weren’t affected during CrowdStrike-Windows outage

As the software updates were neither encrypted nor digitally signed, hackers could intercept and redirect update requests, even when users employed public DNS services like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1. This vulnerability enabled them to execute a “machine-in-the-middle” attack, leading users to malicious sites instead of the legitimate ones.

For example, the 5KPlayer app, which checks for updates over an unencrypted HTTP connection, was exploited. The attackers used DNS poisoning to deliver a malicious configuration file, which then downloaded and installed malware disguised as a harmless image. This malware, known as MACMA for macOS and POCOSTICK for Windows, grants hackers invasive capabilities such as screen capture and keylogging.

Also read: Data of 375 million Airtel India users allegedly put on sale on Dark Web, telco denies report

The findings confirm that these attacks involved compromising the ISP’s network infrastructure rather than just its DNS servers. To safeguard against such threats, users should avoid apps that don’t use secure update mechanisms and consider using DNS over HTTPS or TLS. While these security measures can help, they are not yet widely available.

This incident highlights the critical need for secure software update practices and robust DNS configurations to defend against sophisticated cyber threats.

Update: In a statement, Quick Heal clarified, “At Quick Heal, we would like to clarify the erroneous attribution regarding the ISP poisoning incident. Quick Heal has not been implicated in any malware distribution related to this event. Our software updates employ robust security measures, including proprietary encryption developed in-house and stringent validation checks. We conduct interdependency checks and MD5 validation to ensure that only legitimate updates are applied to our customers’ systems. Even if an attacker were to compromise an ISP channel, our systems would prevent the installation of tampered updates, ensuring user safety.” “Furthermore, we have not received any reports of update-related issues from our support teams, indicating that our systems functioned correctly during this incident. We are committed to maintaining the integrity of our updates and will continue to enhance our security protocols further.”

Also watch:

Ayushi Jain

Ayushi Jain

Tech news writer by day, BGMI player by night. Combining my passion for tech and gaming to bring you the latest in both worlds. View Full Profile

Digit.in
Logo
Digit.in
Logo