Chinese hackers hijacked an ISP software update to spread malware
StormBamboo hijacked an ISP to push infected updates
Windows and macOS machines alike have been hit by malware after notorious Chinese hacker group StormBamboo used a compromised internet service provider (ISP) to target organizations with poisoned DNS responses.
StormBamboo used altered DNS query responses tied to automatic update mechanisms to target organizations that used insecure update mechanisms that did not properly validate the digital signatures.
The organizations’ applications would then search for updates, but instead of retrieving the update from the official site, they would instead download malware.
MACMA and POCOSTICK attacks
The StormBamboo campaign was first detected by Volexity in mid-2023, however it took some time for the attack vector to be identified, but mirrors a similar infection vector as a previous campaign attributed to DriftingBamboo.
In one incident, Volexity suspected the DNS poisoning was occuring at the target infrastructure level, but subsequent investigation revealed that the poisoning was occuring at the ISP level. Once the ISP was notified, they methodically rebooted systems and took components of the network offline, which caused the DNS poisoning to stop.
In order to push their malware onto target systems, StormBamboo would use the poisoned DNS to redirect HTTP requests to a command-and-control (C2) server that would supply a forged text file and malware installer instead of the legitimate software update. The forged text file replaces the legitimate text-based file that would typically contain the latest application version and an installer link requested via HTTP. The malware pushed by StormBamboo included MACMA and POCOSTICK.
StormBamboo used varying methods of this attack vector to target software vendors using insecure update workflows. HTTPS uses encryption and digital signatures to verify the authenticity of requests, making it far more secure than HTTP. Volexity provided guidance on defending against this particular attack vector, including a link to a set of rules used for detecting malicious activity, and and IOC block list.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- These are the best firewalls around today to keep you safe
- Python Q&A site StackExchange hijacked to spread malware disguised as answers
- Take a look at the best endpoint protection tools
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.