View Larger Image (credit: Marco Verch Professional Photographer and Speaker)
A recent investigation by cybersecurity experts at Volexity reveals that cybercriminals successfully compromised malware delivery systems targeting users of both Windows and macOS platforms. This was achieved by infiltrating the infrastructure of an unnamed Internet Service Provider (ISP) to manipulate software updates transmitted through unsecured connections.
The attackers gained entry into routing devices associated with the ISP, enabling them to corrupt the domain name system (DNS) responses for well-known applications seeking updates. This breach impacted legitimate software such as 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, along with products from Corel and Sogou.
Deceptive Update Channels Under Attack
The malicious actors exploited vulnerabilities stemming from the absence of Transport Layer Security (TLS) or cryptographic signatures in the update mechanisms. By controlling ISP infrastructure, they executed man-in-the-middle (MitM) attacks that misled unsuspecting users toward malicious servers instead of those maintained by trusted software developers. Notably, this manipulation succeeded even if users opted for non-encrypted public DNS services like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 over their ISP’s authoritative DNS server.
Read 12 remaining paragraphs | Comments
