Hackers have recently been targeting Mac and Windows users by compromising their Internet service provider (ISP) and manipulating software updates that are delivered over unsecure connections. Researchers at security firm Volexity discovered that the attack involved hackers hacking into the routers or similar devices of an unnamed ISP to poison domain name system responses for legitimate hostnames providing updates for various apps like 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, Corel, and Sogou.
The attack was successful because the update mechanisms did not use Transport Layer Security (TLS) or cryptographic signatures to authenticate the connections or downloaded software. This lack of security allowed threat actors to perform machine-in-the-middle (MitM) attacks, redirecting users to hostile servers instead of the legitimate ones operated by the software makers. Interestingly, even users who utilized non-encrypted public DNS services like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 were affected, as the malicious redirection occurred within the compromised ISP’s infrastructure.
Volexity provided a diagram illustrating how the attack unfolded, with hackers using DNS poisoning to deliver a malicious version of the Youtube.config file, disguised as a PNG image, which in reality was an executable file installing malware such as MACMA for macOS and POCOSTICK for Windows devices. MACMA, discovered in 2021 by Google’s Threat Analysis Group, is a backdoor providing various capabilities for macOS and iOS devices, while POCOSTICK has been in use since 2014 and was linked to a Chinese-speaking threat group.
One notable method employed by the hackers was the use of DNS poisoning to hijack the domain www.msftconnecttest.com, used by Microsoft to verify active internet connections on Windows devices. By replacing the legitimate DNS resolution with an IP address pointing to a malicious site, the hackers intercepted HTTP requests intended for any host. Additionally, the attackers managed to force macOS devices to install a browser plugin called RELOADEXT, which copied browser cookies and sent them to a Google Drive account controlled by the hackers.
Steven Adair, the CEO of Volexity, refrained from disclosing the identity of the hacked ISP but warned that similar attacks might be ongoing globally. He emphasized the importance of taking preventive measures such as avoiding software that updates unsecurely or using DNS over HTTPS or DNS over TLS. While these options provide protection, they might require users to forgo certain apps or rely on specific DNS providers like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1. It is essential for users to remain vigilant and cautious when updating software to mitigate the risk of falling victim to such malicious attacks.
