{"id":12341,"date":"2024-08-06T13:00:44","date_gmt":"2024-08-06T11:00:44","guid":{"rendered":"https:\/\/cyberinsights.iainfraser.net\/?p=12341"},"modified":"2025-02-13T13:37:08","modified_gmt":"2025-02-13T12:37:08","slug":"infected-software-updates","status":"publish","type":"post","link":"https:\/\/smecyberinsights.co.uk\/index.php\/2024\/08\/06\/infected-software-updates\/","title":{"rendered":"THREAT INTEL: Mac and Windows users infected by software updates delivered over hacked ISP"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t<\/a>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\"Hacker_Using_Supercomputer\"\t\t\t\t\t\t\t\t\t\t\t
Image Credit:DC Studio\/Freepik<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t<\/a>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

Helping keep European SMEs CYBERSafe!
\n<\/strong>Gibraltar: Tuesday 06 August 2024 at 12:50 CET<\/p>\n

THREAT INTEL: Mac and Windows users infected by software updates delivered over hacked ISP<\/strong><\/p>\n

By Andy Jenkinson \u2013 Guest Contributor |\u00a0 Group CEO\u00a0Cybersec Innovation Partners<\/a>
\nvia CYBERInsights<\/a>
\nFirst for\u00a0SME Cybersecurity News<\/a><\/p>\n

#CyberInsights #SMECybersecurityNews #Cybersecurity #WhitethornShield #InternetSecurity #DNS #PKI<\/em><\/p>\n

DNS poisoning attack worked even when targets used DNS from Google and Cloudflare.<\/strong><\/p>\n

Hackers or a more appropriately Cybercriminals<\/strong> delivered malware to Windows<\/strong> and Mac<\/strong> users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections.<\/p>\n

The attack, researchers from security firm Volexity<\/strong> said,<\/p>\n

“Worked by hacking routers or similar types of device infrastructure of an unnamed ISP<\/strong>.”<\/em><\/p>\n

The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows<\/strong> or macOS<\/strong>. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.<\/p>\n

Because the update mechanisms didn\u2019t use TLS<\/strong> or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP<\/strong> infrastructure to successfully perform machine-in-the-middle (MitM<\/strong>) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS<\/strong> services such as Google\u2019s<\/strong> 8.8.8.8 or Cloudflare\u2019s<\/strong> 1.1.1.1 rather than the authoritative DNS<\/strong> server provided by the ISP<\/strong>.<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"DNS-Server\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t
\n
\n

In other words, the DNS<\/strong> responses returned by any DNS<\/strong> server would be changed once it reached the infrastructure of the hacked ISP<\/strong>. The only way an end user could have thwarted the attack was to use DNS<\/strong> over HTTPS<\/strong> or DNS<\/strong> over TLS<\/strong> to ensure lookup results haven\u2019t been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections.<\/p>\n

 <\/p>\n<\/div>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\tLearn More \/...<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Cybersec\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

About Andy Jenkinson<\/span><\/strong><\/p>\n

Group CEO CIP. Fellow Cyber Theory Institute. Director Fintech & Cyber Security Alliance (FITCA) working with Governments. Recognised Expert in Internet Asset & DNS Vulnerabilities.<\/span><\/strong><\/p>\n

Andy Jenkinson is a senior and seasoned innovative Executive with over 30 years\u2019 experience as a hands-on lateral thinking CEO, coach, and leader.<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\tLearn More \/...<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Image Credit:DC Studio\/Freepik Learn More \/… Learn More \/…<\/p>\n","protected":false},"author":1,"featured_media":12344,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"cybocfi_hide_featured_image":"yes","footnotes":""},"categories":[440,594],"tags":[517,439],"ppma_author":[415],"class_list":["post-12341","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyberthreat-intel","category-reportage","tag-cyberawareness","tag-cyberthreat-intel"],"featured_image_urls":{"full":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/08\/20589.jpg",1000,563,false],"thumbnail":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/08\/20589-150x150.jpg",150,150,true],"medium":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/08\/20589-300x169.jpg",300,169,true],"medium_large":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/08\/20589-768x432.jpg",640,360,true],"large":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/08\/20589.jpg",640,360,false],"1536x1536":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/08\/20589.jpg",1000,563,false],"2048x2048":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/08\/20589.jpg",1000,563,false],"covernews-featured":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/08\/20589.jpg",1000,563,false],"covernews-medium":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/08\/20589-540x340.jpg",540,340,true]},"author_info":{"display_name":"Cybersecurity Journalist Iain Fraser","author_link":false},"category_info":"SME CYBER\/THREAT INTEL<\/a> REPORTAGE<\/a>","tag_info":"REPORTAGE","comment_count":"0","authors":[{"term_id":415,"user_id":0,"is_guest":1,"slug":"cybersecurity-journalist-iain-fraser","display_name":"Cybersecurity Journalist - Iain Fraser","avatar_url":{"url":"https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/10\/index_image440-removebg-preview.png","url2x":"https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/10\/index_image440-removebg-preview.png"},"0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/12341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=12341"}],"version-history":[{"count":9,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/12341\/revisions"}],"predecessor-version":[{"id":12351,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/12341\/revisions\/12351"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/media\/12344"}],"wp:attachment":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=12341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=12341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=12341"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/ppma_author?post=12341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}