Researchers have warned that hackers exploited vulnerabilities in web service providers (WSPs) to deliver malware to both Windows and macOS users, manipulating software updates transmitted over insecure connections.
According to Volexity, a team of researchers identified an instance where attackers exploited vulnerabilities in the router-based infrastructure of an unidentified internet service provider (ISP) to launch an assault. Attackers leveraged their control over compromised devices to manipulate domain name system (DNS) responses, serving malicious updates for at least six distinct applications designed for Windows and macOS. The software applications impacted included 5KPlayer, Fast Heal, Rainmeter, Partition Wizard, as well as those developed by Corel and Sogou.
A long time ago in a galaxy far, far away…
As a consequence of the replacement mechanisms not utilizing cryptographic signatures or authenticating connections, risk actors exploited their control of the ISP infrastructure to execute Man-in-the-Middle attacks, redirecting targeted users to hostile servers rather than those operated by the affected software developers. Despite utilizing non-encrypted public DNS services, such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1, in place of their ISP-provided authoritative DNS servers, these redirections still functioned effectively.
In a candid online discussion, Volexity CEO Steven Adair noted: “That’s the unsettling aspect – this wasn’t even a breach of ISPs’ DNS servers.” The online community sacrificed its infrastructure to accommodate website visitors. DNS queries, therefore, would be routed to Google’s authoritative DNS servers at 8.8.8.8. The site’s visitors were being redirected to respond to DNS queries with the IP address of the attacker’s servers.
As requests pass through the infrastructure of a compromised Internet Service Provider (ISP), DNS responses from any server can be manipulated in various ways. A potential safeguard against this attack could be for a vigilant individual to verify the integrity of search results by employing cryptographic techniques, such as digital signatures and secure connections, or to abstain entirely from using applications that distribute unsigned updates via unencrypted channels.
Volexity provided a diagram that graphically illustrates the circulation of the attack.
Volexity
The 5KPlayer app employs an insecure HTTP connection instead of an encrypted HTTPS protocol to verify the availability of an update and, when applicable, download a configuration file dubbed “Youtube.config”, potentially compromising user data. The notorious StormBamboo hacking group, operating under pseudonym, exploited DNS poisoning to distribute a compromised version of the YouTube config file from a rogue server, sparking security concerns. The malware, in disguise as a seemingly innocuous PNG file, downloaded a subsequent payload, cleverly masquerading as a graphic image. It was indeed a malicious executable file, disguised under the guises of “MACMA” for macOS systems and “POCOSTICK” for Windows systems.
According to research by Google’s Menace Evaluation Group, MACMA was initially detected in a milder form. The backdoor was crafted specifically for macOS and iOS devices, boasting a comprehensive set of features that include device fingerprinting, screen capture, file transfer and extraction, command-line instruction execution, audio recording, and keylogging capabilities.
Since POCOSTICK’s inception. In the final year, cybersecurity firm ESET identified and analyzed malware known as MGBot, which was exclusively utilized by the Chinese-speaking threat actor group known as Evasive Panda.
Researchers at ESET concluded that the malware was introduced through legitimate software updates, but were uncertain as to how this happened. One potential risk identified by the researchers was the possibility of a sophisticated supply-chain attack, whereby malicious updates could be substituted for genuine ones, compromising the integrity of the entire system. During the crisis, an alternate scenario emerged where hackers exploited vulnerabilities in the update distribution process through a man-in-the-middle (MitM) attack. Volexity’s research confirms the validity of the subsequent logical justification.
In a recent instance, hackers exploited vulnerabilities to force installation of a malicious browser extension, dubbed RELOADEXT by Volexity, on unsuspecting Mac users. The extension purports to enable compatibility between hundreds of websites and Internet Explorer. According to Volexity’s findings, the malicious software illicitly reproduces browser cookies and transmits them to a Google Drive account controlled by the cyberattackers. The information was encoded in Base64 format and then encrypted using the superior encryption standard. Despite meticulous caution, hackers still managed to extract the client ID, client secret, and refresh token from the compromised extension.
Notably, Volexity observed that StormBamboo employed DNS poisoning tactics to compromise www.msftconnecttest.com, a Microsoft-controlled domain used to verify whether Windows devices remain connected to the internet. By manipulating the authoritative DNS resolution with an IP address directing traffic to a malicious website controlled by threat actors, they can intercept HTTP requests intended for any domain.
Adair refused to disclose the identity of the hacked internet service provider, commenting only that it’s “not a massive organization or one that would be widely recognized.”
“We’ve managed to contain the incident, but our investigation has revealed that multiple servers are still actively distributing malicious updates, and we’re struggling to identify their geographic location.” “We assume that there may be various intense attacks worldwide that are beyond our scope.” This might indicate an incident potentially linked to an Internet Service Provider (ISP) breach or a targeted attack compromising the network’s perimeter security, effectively bypassing the company’s firewall.
Numerous options exist to prevent such attacks, including refraining from using software that updates insecurely and leveraging DNS over HTTPS or DNS over TLS protocols. While this technique may be effective, it does require abandoning a frequently used app for at least part of the time. While multiple DNS configuration options exist, only a few prominent providers currently offer this service, with 8.8.8.8 and 1.1.1.1 standing out as well-known choices.
