Canonical today released Ubuntu 25.04 "Plucky Puffin," bringing significant upgrades to the non-LTS distribution including Linux kernel 6.14, GNOME 48 with triple buffering, and expanded hardware support.

For the first time, Ubuntu ships an official generic ARM64 desktop ISO targeting virtual machines and Snapdragon-based devices, with initial enablement for the Snapdragon X Elite platform. The release also adds full support for Intel Core Ultra Xe2 integrated graphics and "Battlemage" discrete GPUs, delivering improved ray tracing performance and hardware-accelerated video encoding.

Networking improvements include wpa-psk-sha256 Wi-Fi support and enhanced DNS resolution detection. The installer now better handles BitLocker-protected Windows partitions for dual-boot scenarios. Other notable changes include JPEG XL support by default, NVIDIA Dynamic Boost enabled on supported laptops, Papers replacing Evince as the default document viewer, and APT 3.0 becoming the standard package manager. Ubuntu 25.04 will receive nine months of support until January 2026.

An anonymous reader quotes a report from Ars Technica: A technique that hostile nation-states and financially motivated ransomware groups are using to hide their operations poses a threat to critical infrastructure and national security, the National Security Agency has warned. The technique is known as fast flux. It allows decentralized networks operated by threat actors to hide their infrastructure and survive takedown attempts that would otherwise succeed. Fast flux works by cycling through a range of IP addresses and domain names that these botnets use to connect to the Internet. In some cases, IPs and domain names change every day or two; in other cases, they change almost hourly. The constant flux complicates the task of isolating the true origin of the infrastructure. It also provides redundancy. By the time defenders block one address or domain, new ones have already been assigned.

"This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection," the NSA, FBI, and their counterparts from Canada, Australia, and New Zealand warned Thursday. "Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations." There are two variations of fast flux described in the advisory: single flux and double flux. Single flux involves mapping a single domain to a rotating pool of IP addresses using DNS A (IPv4) or AAAA (IPv6) records. This constant cycling makes it difficult for defenders to track or block the associated malicious servers since the addresses change frequently, yet the domain name remains consistent.

Double flux takes this a step further by also rotating the DNS name servers themselves. In addition to changing the IP addresses of the domain, it cycles through the name servers using NS (Name Server) and CNAME (Canonical Name) records. This adds an additional layer of obfuscation and resilience, complicating takedown efforts.

"A key means for achieving this is the use of Wildcard DNS records," notes Ars. "These records define zones within the Domain Name System, which map domains to IP addresses. The wildcards cause DNS lookups for subdomains that do not exist, specifically by tying MX (mail exchange) records used to designate mail servers. The result is the assignment of an attacker IP to a subdomain such as malicious.example.com, even though it doesn't exist." Both methods typically rely on large botnets of compromised devices acting as proxies, making it challenging for defenders to trace or disrupt the malicious activity.

An anonymous reader quotes a report from Techdirt: Walled Culture has been following closely Italy's poorly designed Piracy Shield system. Back in December we reported how copyright companies used their access to the Piracy Shield system to order Italian Internet service providers (ISPs) to block access to all of Google Drive for the entire country, and how malicious actors could similarly use that unchecked power to shut down critical national infrastructure. Since then, the Computer & Communications Industry Association (CCIA), an international, not-for-profit association representing computer, communications, and Internet industry firms, has added its voice to the chorus of disapproval. In a letter (PDF) to the European Commission, it warned about the dangers of the Piracy Shield system to the EU economy [...]. It also raised an important new issue: the fact that Italy brought in this extreme legislation without notifying the European Commission under the so-called "TRIS" procedure, which allows others to comment on possible problems [...].

As well as Italy's failure to notify the Commission about its new legislation in advance, the CCIA believes that: this anti-piracy mechanism is in breach of several other EU laws. That includes the Open Internet Regulation which prohibits ISPs to block or slow internet traffic unless required by a legal order. The block subsequent to the Piracy Shield also contradicts the Digital Services Act (DSA) in several aspects, notably Article 9 requiring certain elements to be included in the orders to act against illegal content. More broadly, the Piracy Shield is not aligned with the Charter of Fundamental Rights nor the Treaty on the Functioning of the EU -- as it hinders freedom of expression, freedom to provide internet services, the principle of proportionality, and the right to an effective remedy and a fair trial.

Far from taking these criticisms to heart, or acknowledging that Piracy Shield has failed to convert people to paying subscribers, the Italian government has decided to double down, and to make Piracy Shield even worse. Massimiliano Capitanio, Commissioner at AGCOM, the Italian Authority for Communications Guarantees, explained on LinkedIn how Piracy Shield was being extended in far-reaching ways (translation by Google Translate, original in Italian). [...] That is, Piracy Shield will apply to live content far beyond sports events, its original justification, and to streaming services. Even DNS and VPN providers will be required to block sites, a serious technical interference in the way the Internet operates, and a threat to people's privacy. Search engines, too, will be forced to de-index material. The only minor concession to ISPs is to unblock domain names and IP addresses that are no longer allegedly being used to disseminate unauthorized material. There are, of course, no concessions to ordinary Internet users affected by Piracy Shield blunders. In the future, Italy's Piracy Shield will add:
- 30-minute blackout orders not only for pirate sports events, but also for other live content;
- the extension of blackout orders to VPNs and public DNS providers;
- the obligation for search engines to de-index pirate sites;
- the procedures for unblocking domain names and IP addresses obscured by Piracy Shield that are no longer used to spread pirate content;
- the new procedure to combat piracy on the #linear and "on demand" television, for example to protect the #film and #serietv.

"Italy is using its Piracy Shield law to go after Google," reports Ars Technica, "with a court ordering the Internet giant to immediately begin poisoning its public DNS servers" to prevent people from reaching pirate streams of football games.

"Italy's communication regulator praises the ruling and hopes to continue sticking it to international tech firms." Spotted by TorrentFreak, AGCOM Commissioner Massimiliano Capitanio took to LinkedIn to celebrate the ruling, as well as the existence of the Italian Piracy Shield. "The Judge confirmed the value of AGCOM's investigations, once again giving legitimacy to a system for the protection of copyright that is unique in the world," said Capitanio. Capitanio went on to complain that Google has routinely ignored AGCOM's listing of pirate sites, which are supposed to be blocked in 30 minutes or less under the law. He noted the violation was so clear-cut that the order was issued without giving Google a chance to respond, known as inaudita altera parte in Italian courts.

An anonymous reader quotes a report from TorrentFreak: In France, rightsholders have taken legal action to compel large VPN providers to support their pirate site blocking program. The aim is to reinforce existing blocking measures, but VPN providers see this as a dangerous move, leading to potential security issues and overblocking. As a result, some are considering leaving France altogether if push comes to shove. [...] Earlier this month, sports rightsholders Canal+ and LFP requested blocking injunctions that would require popular VPNs to start blocking pirate sites and services. The full requests are not public, but the details available show that Cyberghost, ExpressVPN, NordVPN, ProtonVPN, and Surfshark are listed as respondents. [...]

The blocking request has yet to be approved and several of the targeted VPN providers have reserved detailed commentary, for now. That said, the VPN Trust Initiative (VTI), which includes ExpressVPN, NordVPN and Surfshark as members, has been vocal in its opposition. VTI is part of the i2Coalition and while it doesn't speak directly for any of the members, the coalition's Executive Director Christian Dawson has been in regular discussions with VPN providers. From this, it became clear that VPN providers face difficult decisions. If VPN providers are ordered to block pirate sites, some are considering whether to follow in the footsteps of Cisco, which discontinued its OpenDNS service in the country, to avoid meddling with its DNS resolver.

Speaking with TorrentFreak, VTI's Dawson says that VPNs have previously left markets like India and Pakistan in response to restrictive requirements. This typically happens when privacy or security principles are at risk, or if the technical implementation of blocking measures is infeasible. VTI does not rule out that some members may choose to exit France for similar reasons, if required to comply with blocking measures. "We've seen this before in markets like India and Pakistan, where regulatory requirements forced some VPN services to withdraw rather than compromise on encryption standards or log-keeping policies," Dawson says. "France's potential move to force VPN providers to block content could put companies in a similar position -- where they either comply with measures that contradict their purpose or leave the market altogether." "This case in France is part of a broader global trend of regulatory overreach, where governments attempt to control encrypted services under the guise of content regulation. We've already seen how China, Russia, Myanmar, and Iran have imposed VPN restrictions as part of broader censorship efforts."

"The best path forward is for policymakers to focus on targeted enforcement measures that don't undermine Internet security or create a precedent for global Internet fragmentation," concludes Dawson. "As seen in other cases, blanket blocking measures do not effectively combat piracy but instead create far-reaching consequences that disrupt the open Internet."

U.S. Representative Zoe Lofgren has introduced a bill that would allow courts to block access to foreign websites primarily engaged in copyright infringement. The Foreign Anti-Digital Piracy Act would enable rightsholders to obtain injunctions requiring large Internet service providers and DNS resolvers to block access to pirate sites.

The bill marks a shift from previous site-blocking proposals, notably including DNS providers like Google and Cloudflare with annual revenues above $100 million. Motion Picture Association CEO Charles Rivkin backed the measure, while consumer group Public Knowledge criticized it as "censorious." The legislation requires court review and due process before any blocking orders can be issued. Sites would have 30 days to contest preliminary orders.

Despite being removed from app stores and facing a potential U.S. ban, TikTok has regained nearly 90% of its user traffic, according to Cloudflare Radar. "DNS traffic for TikTok-related domains has continued to recover since service restoration, and is currently about 10% lower than pre-shutdown level," said David Belson, head of data insight at Cloudflare. CNBC reports: The data from Cloudflare shows that, for the most part, TikTok has managed to maintain the bulk of its users and creators in the U.S. despite going offline for about 14 hours and remaining off of the Apple or Google app stores.

As for its alternatives, Cloudflare's data shows a spike in traffic the day of the temporary ban, with levels remaining steadily higher in the following week. Traffic for alternatives began to grow a week ahead of the expected shutdown, driven by the increased popularity of RedNote, known as Xiaohongshu in China, Belson said.

But traffic to TikTok alternatives peaked on Jan. 19, the day TikTok returned online, he added. "DNS traffic fell rapidly once the shutdown ended, and has continued to slowly decline over the last week and a half," Belson said.

An anonymous reader quotes a report from Ars Technica: US Rep. Zoe Lofgren (D-Calif.) today proposed a law that would let copyright owners obtain court orders requiring Internet service providers to block access to foreign piracy websites. The bill would also force DNS providers to block sites. Lofgren said in a press release that she "work[ed] for over a year with the tech, film, and television industries" on "a proposal that has a remedy for copyright infringers located overseas that does not disrupt the free Internet except for the infringers." Lofgren said she plans to work with Republican leaders to enact the bill. [...]

Lofgren's bill (PDF) would impose site-blocking requirements on broadband providers with at least 100,000 subscribers and providers of public domain name resolution services with annual revenue of over $100 million. The bill has exemptions for VPN services and "similar services that encrypt and route user traffic through intermediary servers"; DNS providers that offer service "exclusively through encrypted DNS protocols"; and operators of premises that provide Internet access, like coffee shops, bookstores, airlines, and universities. Lofgren released a summary of the bill explaining how copyright owners can obtain blocking orders. "A copyright owner or exclusive licensee may file a petition in US District Court to obtain a preliminary order against a foreign website or online service engaging in copyright infringement," the summary said.

For non-live content, the petition must show that "transmission of a work through a foreign website likely infringes exclusive rights under Section 106 [of US law] and is causing irreparable harm." For live events, a petition must show that "an imminent or ongoing unauthorized transmission of a live event is likely to infringe, and will cause irreparable harm." The proposed law says that after a preliminary order is issued, copyright owners would be able to obtain orders directing service providers "to take reasonable and technically feasible measures to prevent users of the service provided by the service provider from accessing the foreign website or online service identified in the order." Judges would not be permitted to "prescribe any specific technical measures" for blocking and may not require any action that would prevent Internet users from using virtual private networks.Consumer advocacy group Public Knowledge described the bill as a "censorious site-blocking" measure "that turns broadband providers into copyright police at Americans' expense."

"Rather than attacking the problem at its source -- bringing the people running overseas piracy websites to court -- Congress and its allies in the entertainment industry has decided to build out a sweeping infrastructure for censorship," Public Knowledge Senior Policy Counsel Meredith Rose said. "Site-blocking orders force any service provider, from residential broadband providers to global DNS resolvers, to disrupt traffic from targeted websites accused of copyright infringement. More importantly, applying blocking orders to global DNS resolvers results in global blocks. This means that one court can cut off access to a website globally, based on one individual's filing and an expedited procedure. Blocking orders are incredibly powerful weapons, ripe for abuse, and we've seen the messy consequences of them being implemented in other countries."

A security researcher discovered and fixed a critical domain name server misconfiguration in Mastercard's systems that persisted undetected for nearly five years, potentially exposing the credit card giant to traffic interception risks.

Philippe Caturegli, founder of security firm Seralys, found that one of Mastercard's five DNS servers incorrectly pointed to "akam.ne" instead of "akam.net" from June 2020 to January 2025. He spent $300 to register the domain through Niger's domain authority to prevent potential exploitation. Mastercard said the typo has been corrected, insisting there was "not a risk to our systems."

An anonymous reader quotes a report from TorrentFreak: In a landmark ruling, the Court of Milan has ordered (PDF) Cloudflare to block pirate streaming services that offer Serie A football matches. The court found that Cloudflare's services are instrumental in facilitating access to live pirate streams, undermining Italy's 'Piracy Shield' legislation. The order, which applies in Italy, affects Cloudflare's CDN, DNS resolver, WARP and proxy services. It also includes a broad data disclosure section. [...]

The Court of Milan's decision prohibits Cloudflare from resolving domain names and routing internet traffic to IP addresses of all services present on the "Piracy Shield" system. This also applies to future domains and aliases used by these pirate services. The order applies to Cloudflare's content delivery network (CDN), DNS services, and reverse proxy services. The order also mentions Cloudflare's free VPN among the targets, likely referring to the WARP service. If any of the targeted pirate streaming providers use Cloudflare's services to infringe on Serie A's copyrights, the company Cloudflare must stop providing CDN, authoritative DNS, and reverse proxy services to these customers. (Note: This is an Italian court order and Cloudflare previously used geotargeting to block sites only in Italy. It may respond similarly here, but terminating customer accounts only in Italy might be more complicated. )

Finally, the order further includes a data disclosure component, under which Cloudflare must identify customers who use Cloudflare's services to offer pirated streams. This should help Serie A to track down those responsible. The data disclosure section also covers information related to the 'VPN' and alternative public DNS services, where these relate to the IPTV platforms identified in the case. That covers traffic volume and connection logs, including IP-addresses and timestamps. In theory, that could also cover data on people who accessed these services using Cloudflare's VPN and DNS resolver. [...] The court ordered Cloudflare to cover the costs of the proceeding and if it doesn't implement the blocking requirements in time, an additional fine of 10,000 euros per day will apply.

"A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites," reports Search Engine Journal.

The authentication bypass vulnerability lets attackers gain full access to websites without a username or password, according to the article, and "Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity..." The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing... [T]he attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn't have a check for that the attackers gain unauthorized access... Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
Thanks to Slashdot reader bleedingobvious for sharing the news.

D-Link confirmed no fix will be issued for the over 60,000 D-Link NAS devices that are vulnerable to a critical command injection flaw (CVE-2024-10914), allowing unauthenticated attackers to execute arbitrary commands through unsanitized HTTP requests. The networking company advises users to retire or isolate the affected devices from public internet access. BleepingComputer reports: The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses: DNS-320 Version 1.00; DNS-320LW Version 1.01.0914.2012; DNS-325 Version 1.01, Version 1.02; and DNS-340L Version 1.08. [...] A search that Netsecfish conducted on the FOFA platform returned 61,147 results at 41,097 unique IP addresses for D-Link devices vulnerable to CVE-2024-10914.

In a security bulletin today, D-Link has confirmed that a fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products. If that is not possible at the moment, users should at least isolate them from the public internet or place them under stricter access conditions. The same researcher discovered in April this year an arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, impacting mostly the same D-Link NAS models as the latest flaw.

penciling_in writes: Pat Kane, Senior VP at Verisign, reports that on October 20th, ICANN and Verisign renewed the agreement under which Verisign will continue to act as Root Zone Maintainer for the Domain Name System (DNS) for another 8-year term. "The Root Zone sits atop the hierarchical architecture of the DNS and is essential to virtually all internet navigation, acting as the dynamic, cryptographically secure, global directory of all top-level domains that exist in the DNS. The Root Zone Maintainer is a unique role that ensures the cryptographic signing and publication of the Root Zone no less than once a day, without which, navigation on the internet would be impossible," the story adds.

Malaysia's telecom regulator has abandoned a plan to block overseas DNS services a day after announcing it, following a sharp backlash and accusations of government overreach. From a report: Last Friday, the Malaysian Communications and Multimedia Commission (MCMC) published an FAQ that stated it had instructed all ISPs to redirect traffic headed for offshore DNS servers to services operated by Malaysian ISPs -- a move it claimed would prevent access to malicious and harmful websites such as those concerning gambling, pornography, copyright infringement or scams. "No, the DNS redirection will not affect your connection speed or browsing experience for legitimate websites," the Commission promised in its FAQ.

But opposition to the plan quickly emerged, on grounds that it could amount to censorship and therefore represented government overreach. Musician turned state legislator Syed Ahmad Syed Abdul Rahman Alhadad labelled the decision "draconian" and a negative for Malaysia's digital economy. Fellow state assemblyperson Lim Yi Wei described the policy as "ill-advised," censorship, inefficient, and unsecure -- as well as counterproductive to government efforts to develop tech startups, innovation and datacenters.

The Malaysian Communications and Multimedia Commission, which regulates online and broadcast media in the Asian nation, has instructed internet service providers in the country to redirect DNS traffic that uses third-party servers back to their own DNS servers, according to local media reports. From a report: MCMC in a statement tonight said this is to ensure that users continue to benefit from the protection provided by the local ISP's DNS servers and that malicious sites are inaccessible to Malaysians. As a commitment to protecting the safety of Internet users, MCMC has blocked a total of 24,277 websites between between 2018 to Aug 1, classified into various categories, which are online gambling (39 per cent), pornography/obscene content (31 per cent), copyright infringement (14 per cent), other harmful sites (12 per cent), prostitution (two per cent) and unlawful investments/scams (two per cent). Further reading: MCMC orders DNS redirection for businesses, govts, enterprises by Sept 30, according to Maxis FAQ.

A university in Taiwan was breached with "a previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique," Symantec reports. The most notable feature of this backdoor is that it communicates with a command-and-control server via DNS traffic... The code for the DNS tunneling tool is based on the publicly available dnscat2 tool. It receives commands by performing name resolution... Msupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command. The third octet of the resolved IP address is a switch case. The behavior of the backdoor will change based on the value of the third octet of the resolved IP address minus seven...

The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577). The vulnerability is a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating system. Successful exploitation of the vulnerability can lead to remote code execution.

Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.
More from The Record: Compared to more obvious methods like HTTP or HTTPS tunneling, this technique can be harder to detect because DNS traffic is generally considered benign and is often overlooked by security tools. Earlier in June, researchers discovered a campaign by suspected Chinese state-sponsored hackers, known as RedJuliett, targeting dozens of organizations in Taiwan, including universities, state agencies, electronics manufacturers, and religious organizations. Like many other Chinese threat actors, the group likely targeted vulnerabilities in internet-facing devices such as firewalls and enterprise VPNs for initial access because these devices often have limited visibility and security solutions, researchers said.
Additional coverage at The Hacker News.

Thanks to Slashdot reader joshuark for sharing the article.

Security researcher Bill Demirkapi unveiled a massive trove of leaked developer secrets and website vulnerabilities at the Defcon conference in Las Vegas. Using unconventional data sources, Demirkapi identified over 15,000 exposed secrets, including credentials for Nebraska's Supreme Court IT systems and Stanford University's Slack channels.

The researcher also discovered 66,000 websites with dangling subdomain issues, making them vulnerable to attacks. Among the affected sites was a New York Times development domain. Demirkapi's tack involved scanning VirusTotal's database and passive DNS replication data to identify vulnerabilities at scale. He developed an automated method to revoke exposed secrets, working with companies like OpenAI to implement self-service deactivation of compromised API keys.

The Internet Corporation for Assigned Names and Numbers (ICANN) has agreed to reserve the .internal top-level domain so it can become the equivalent to using the 10.0.0.0, 172.16.0.0 and 192.168.0.0 IPv4 address blocks for internal networks. From a report: Those blocks are reserved for private use by the Internet Assigned Numbers Authority, which requires they never appear on the public internet. As The Register reported when we spotted the proposal last January, ICANN wanted something similar but for DNS, by defining a top-level domain that would never be delegated in the global domain name system (DNS) root.

Doing so would mean the TLD could never be accessed on the open internet -- achieving the org's goal of delivering a domain that could be used for internal networks without fear of conflict or confusion. ICANN suggested such a domain could be useful, because some orgs had already started making up and using their own domain names for private internal use only. Networking equipment vendor D-Link, for example, made the web interface for its products available on internal networks at .dlink. ICANN didn't like that because the org thought ad hoc TLD creation could see netizens assume the TLDs had wider use -- creating traffic that busy DNS servers would have to handle. Picking a string dedicated to internal networks was the alternative. After years of consultation about whether it was a good idea -- and which string should be selected -- ICANN last week decided on .internal. Any future applications to register it as a global TLD won't be allowed.

An anonymous reader quotes a report from Ars Technica: Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said. The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.

Because the update mechanisms didn't use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google's 8.8.8.8 or Cloudflare's 1.1.1.1 rather than the authoritative DNS server provided by the ISP. "That is the fun/scary part -- this was not the hack of the ISPs DNS servers," Volexity CEO Steven Adair wrote in an online interview. "This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google's DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker's servers."

In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven't been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections. As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices. As for the hacked ISP, the security firm said "it's not a huge one or one you'd likely know."

"In our case the incident is contained but we see other servers that are actively serving malicious updates but we do not know where they are being served from. We suspect there are other active attacks around the world we do not have purview into. This could be from an ISP compromise or a localized compromise to an organization such as on their firewall."

An anonymous reader shared this report from BleepingComputer: A Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware. Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.

On Friday, Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn't validate digital signatures to deploy malware payloads on victims' Windows and macOS devices... To do that, the attackers intercepted and modified victims' DNS requests and poisoned them with malicious IP addresses. This delivered the malware to the targets' systems from StormBamboo's command-and-control servers without requiring user interaction.
Volexity's blog post says they observed StormBamboo "targeting multiple software vendors, who use insecure update workflows..." and then "notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped."

BleepingComputer notes that "âAfter compromising the target's systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data."