IPv6 networking feature hit by hackers to hijack software updates

9 hours ago 9

Image credit: Pixabay (Image credit: Geralt / Pixabay)

Chinese threat actor TheWizards observed running a SLAAC attack since 2022
The attack delivers tainted software updates
Most victims are in China, Hong Kong, the Philippines, and UAE

A threat actor called TheWizards has been running SLAAC spoofing attacks to target organizations, cybersecurity researchers ESET have revealed, claiming the group is aligned with the Chinese government.

In the campaign, the attackers would use a tool called Spellbinder to send fake Router Advertisement (RA) messages to their targets.

These messages trick devices into thinking the attacker’s system is the legitimate router, causing them to route all their internet traffic through the hacker’s machine. Since this method manipulates the Stateless Address Autoconfiguration (SLAAC) process, the entire attack was dubbed “SLAAC spoofing”.

Active at press time

Once TheWizards start controlling the traffic, they use Spellbinder to intercept DNS queries for legitimate software update domains and redirect them.

As a result, the victims end up downloading trojanized versions of software updates, containing the WizardNet backdoor.

This piece of malware, ESET further explained, grants TheWizards remote access to the victim devices. It communicates over encrypted TCP or UDP sockets, and uses a SessionKey based on system identifiers for AES encryptions.

Besides loading and executing .NET modules in-memory, WizardNet can extract system data, list running processes, and maintain persistence.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The campaign has been ongoing since at least 2022, ESET added, mainly targeting people and businesses in China, Hong Kong, Cambodia, the Philippines, and the UAE.

Apparently, the crooks are currently tricking people into downloading a fake Tencent update: “The malicious server that issues the update instructions was still active at the time of writing,” ESET said. Most of the corporate victims seem to be in the gambling vertical.

ESET also said that Spellbinder is monitoring for domains belonging not just to Tencent, but also Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi, Xiaomi Miui, PPLive, Meitu, Quihoo 360, and Baofeng.

The best way to mitigate the risk is to monitor IPv6 traffic, or turn off the protocol if it’s not required in the environment, ESET concluded.

Via BleepingComputer

Chinese hackers hijacked an ISP software update to spread malware
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article