BEWARE OF UNSAFE UPDATES — Mac and Windows users infected by software updates delivered over hacked ISP DNS poisoning attack worked even when targets used DNS from Google and Cloudflare.
Dan Goodin – Aug 5, 2024 11:43 pm UTC EnlargeMarco Verch Professional Photographer and Speaker reader comments 57
Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said.
The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou. These arent the update servers youre looking for
Because the update mechanisms didnt use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Googles 8.8.8.8 or Cloudflares 1.1.1.1 rather than the authoritative DNS server provided by the ISP.
That is the fun/scary partthis was not the hack of the ISPs DNS servers, Volexity CEO Steven Adair wrote in an online interview. This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Googles DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attackers servers.
In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results havent been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections.
Volexity provided the following diagram illustrating the flow of the attack: EnlargeVolexity
As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices.
MACMA first came to light in 2021 post published by Googles Threat Analysis Group, a team that tracks malware and cyberattacks backed by nation-states. The backdoor was written for macOS and iOS devices and provided a full suite of capabilities including device fingerprinting, screen capture, file downloading and uploading, execution of terminal commands, audio recording, and keylogging.
POCOSTICK, meanwhile, has been in use since at least 2014. Last year, security firm ESET said the malware, which it tracked under the name MGBot, was used exclusively by a Chinese-speaking threat group tracked as Evasive Panda.
ESET researchers determined that the malware was installed through legitimate updates of benign software, but they werent sure how that happened. One possibility, the researchers said at the time, was through a supply-chain attack that replaced the legitimate updates with malicious ones at the very source. The other possible scenario was through a MitM attack on the servers delivering the updates. Volexitys findings now confirm that the latter explanation is the correct one.
In at least one case in the most recent attacks, StormBamboo forced a macOS device to install a browser plugin Volexity tracks under the name RELOADEXT. The extension masquerades as one that loads webpages to be compatible with Internet Explorer. In fact, Volexity said, it copies browser cookies and sends them to a Google Drive account controlled by the attackers. The data was base64 encoded and encrypted using the Advanced Encryption Standard. Despite the care taken by the hackers, they nonetheless exposed the client_id, client_secret, and refresh_token in the malicious extension.
One other technique Volexity observed was StormBamboos use of DNS poisoning to hijack www.msftconnecttest.com , a domain Microsoft uses to determine if Windows devices are actively connected to the Internet. By replacing the legitimate DNS resolution with an IP address pointing to a malicious site operated by the threat actors, they could intercept HTTP requests destined for any host.
Adair declined to identify the hacked ISP other than to say its not a big huge one or one youd likely know.
In our case the incident is contained but we see other servers that are actively serving malicious updates but we do not know where they are being served from, he said. We suspect there are other active attacks around the world we do not have purview into. This could be from an ISP compromise or a localized compromise to an organization such as on their firewall.
As noted earlier, there are many options for preventing these sorts of attacks beyond (1) eschewing all software that updates unsecurely or (2) using DNS over HTTPS or DNS over TLS. The first method is likely the best, although it likely means having to stop using a preferred app in at least some cases. The alternative DNS configurations are viable, but at the moment are offered by only a handful of DNS providers, with 8.8.8.8 and 1.1.1.1 being the best known. reader comments 57 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Advertisement Channel Ars Technica ← Previous story Related Stories Today on Ars