Hackers infiltrate programs of Internet providers and spread the virus among Mac and Windows clients
Kyiv • UNN
Millions of Mac and Windows users are infected through compromised Internet service providers. Hackers spoof software updates delivered over insecure connections, spreading malware.
Millions of Mac and Windows users have been infected with software updates delivered through a compromised Internet service provider.
Writes UNN with reference to Ars Technica.
A new cyberattack has revealed a critical bug in Mac and Windows security systems. According to the researchers, hackers cracked the ISP's security and replaced software updates delivered over insecure connections. Thus, the attackers deliver malware to Windows and Mac users.
This is how experts explain the situation.
It was not a hack of DNS servers of providers
According to him, the most interesting/scary thing is that "it was a compromise of the network infrastructure for Internet traffic.
At the same time, DNS requests, for example, were sent to Google DNS servers assigned to the address 8.8.8.8. - are requests to the IP addresses of the attackers' servers.
However, the DNS responses returned by any DNS server changed when they entered the hacked provider's infrastructure.
The only way an end user could prevent the attack is to use HTTPS or TLS DNS. This would ensure that the search results were not spoofed. Another way is to avoid using applications that deliver unsigned updates over unencrypted connections.
The importance of secure protocols
The DNS responses of any server can be changed as soon as they enter the infrastructure of a compromised provider. To protect themselves, users should use secure protocols such as DNS over HTTPS (DoH) or DNS over TLS (DoT). These solutions guarantee the authenticity of search results and prevent them from being manipulated, reminds Tom's Guide, a media outlet dedicated to technology news.
Getting rid of the problem
They refuse to name the hacked provider yet - experts point out that it is "not a very large provider or one that you are likely to know.
"In our case, the incident is localized, but we see other servers actively serving malicious updates, but we don't know where they are coming from. We suspect there are other active attacks around the world that we have no idea about. It could be a compromise of the provider or a local compromise of the organization, for example, on its firewall," said Steven Adair.