Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Targeted Mac Users: Hackers Compromised ISP
A recent hack targeted Mac users and Windows users by compromising their ISP and tampering with software updates. Hackers were able to propagate malware that affected several well-known apps by taking advantage of holes in ISP infrastructure.
Recent Hack Targeted Mac Users Via ISP Exploit
According to researchers from the security company Volexity (via Ars Technica), routers and other crucial network equipment at an unidentified ISP were taken over by the attackers. They changed Domain Name System (DNS) solutions for websites that offered genuine software updates by using this access. At least six programs were affected by this security flaw, including Corel and Sogou software, 5KPlayer, Rainmeter, Quick Heal, and Partition Wizard. The updates were sent to hostile servers under the attackers’ command.
These Update Servers Are Not What You Are Searching For
The threat actors were successful in using their control over the ISP infrastructure to carry out machine-in-the-middle (MitM) attacks that sent intended users to hostile servers rather than those run by the affected software makers because the update mechanisms did not use TLS or cryptographic signatures to verify the connections or downloaded software.
Even when customers used public (open) DNS servers such as 8.8.8.8 or 1.1.1.1 via Cloudflare or Google, hackers might track and reroute update requests since the software upgrades were not digitally signed nor encrypted. They were able to carry out a “machine-in-the-middle” attack thanks to this weakness, sending consumers to malicious websites rather than ones that were authentic.
One such program that was accessed was 5KPlayer, which uses an unencrypted HTTP connection to check for updates. By using DNS poisoning, the attackers were able to send a malicious configuration file, which in turn downloaded and installed malware that appeared to be a harmless picture. This virus, which goes by the names POCOSTICK for Windows and MACMA for macOS, gives hackers access to intrusive features including screen recording and keylogging.
MACMA
In 2021 post MACMA was first made public by Google’s Threat Analysis Group, a unit that monitors malware and nation-state-sponsored cyberattacks. The backdoor offered a complete range of features, including screen recording, device fingerprinting, file uploading and downloading, terminal command execution, audio recording, and keylogging. It was developed for macOS and iOS devices.
POCOSTICK
On the other hand, POCOSTICK has been in operation since around 2014. The virus, which ESET monitored under the moniker MGBot, was only utilized by a Chinese-speaking threat organization known as Evasive Panda, according to information released by the security company last year.
The results prove that the ISP’s network infrastructure was compromised in these attacks, as opposed to only its DNS servers. Users should steer clear of apps that don’t employ secure update mechanisms and think about utilizing DNS over HTTPS or TLS in order to protect themselves from such risks. Although helpful, these security techniques are currently not generally accessible.
The situation emphasizes how important it is to have strong DNS setups and safe software update procedures in order to protect against sophisticated cyberattacks.
Therefore, in addition to (1) avoiding any insecure software update and (2) utilizing DNS over HTTPS or DNS over TLS, there are other ways for targeted Mac users to stop these kinds of assaults. Though in certain circumstances it may require giving up a favorite program, the first approach is probably the best. Although the other DNS settings work, only a few DNS providers now support them; the most well-known ones are 8.8.8.8 and 1.1.1.1.
