Mac and Windows users have had their PCs infected through software updates delivered via a compromised ISP

By: Vlad Cherevko | 07.08.2024, 14:12

Researchers at Volexity have discovered that hackers used a breach of a single internet service provider to spread malware to Windows and Mac users.

Here's What We Know

The attack involved hacking into routers or similar devices in the ISP's infrastructure. The attackers then used control of the devices to manipulate the domain name system responses of legitimate hosts, distributing updates to at least six different Windows and macOS applications, including 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and Corel and Sogou.

Because the update mechanisms did not use TLS or cryptographic signatures, the attackers were able to redirect users to their servers even if they used public DNS services such as Google or Cloudflare.

A diagram illustrating the course of the attack by StormBamboo attackers

The hackers known as StormBamboo used DNS spoofing to deliver malicious files, which then downloaded additional malicious components. For example, the 5KPlayer app downloaded a fake Youtube.config file that contained MACMA malware for macOS or POCOSTICK malware for Windows. These programmes gave hackers full access to the devices, including screen, audio and keyboard recording.

Volexity also found that the hackers used DNS spoofing to hijack the Microsoft domain used to verify internet connectivity. This allowed them to intercept HTTP requests and route them to their servers. Researchers warn that such attacks could continue and recommend using DNS over HTTPS or TLS to protect yourself.

Which ISP we're talking about, the experts didn't say, saying only that "it's not a huge ISP, or one you probably know about."

Source: ArsTechnica