Hackers have been known to target ISPs for various malicious activities, ranging from disrupting internet services to stealing sensitive data. One of the most significant impacts of such compromises is giving hackers control over a large number of connected devices, which can further fuel their illicit activities.
In a recent discovery by Volexity, a sophisticated attack method known as StormBamboo was uncovered in mid-2023. This attack, also known as Evasive Panda or StormCloud, involved hackers hijacking an ISP service provider to poison software updates.
The hackers behind StormBamboo took advantage of security vulnerabilities in software update mechanisms, specifically targeting those using unsecured HTTP connections without proper digital signature verification. By manipulating DNS responses for domains used for automatic updates, users were diverted to malicious downloads instead of legitimate software updates.
As a result of this insidious tactic, numerous Windows and macOS systems at various companies fell victim to malware such as MACMA and POCOSTICK (MGBot). This attack not only infected systems but also highlighted the critical need for robust DNS infrastructure protection and secure update procedures.
The skilled threat actors behind StormBamboo leveraged ISP-level DNS poisoning to redirect legitimate update requests to a malicious server in Hong Kong. This method allowed the hackers to infiltrate systems with advanced malware without requiring any user interaction.
StormBamboo’s attack extended to exploiting HTTP-based update mechanisms in software applications, including the YoutubeDL component in 5KPlayer. By injecting malicious code into fake updates, systems were compromised with sophisticated malware like MACMA for macOS and POCOSTICK for Windows.
The complex nature of this attack surpassed previous incidents, showcasing significant advancements in both malware capabilities and attack methods. This event underscores the critical importance of secure software upgrade processes, robust DNS infrastructure protection, and staying vigilant against evolving cyber threats.
Researchers also observed StormBamboo using a dangerous Chrome extension called “RELOADEXT” on compromised macOS devices. This extension, installed through a custom binary installer, bypassed Chrome’s tamper protection features to exfiltrate browser cookies to an attacker-controlled Google Drive account.
RELOADEXT employed multiple layers of encryption, with AES used internally for its logic and specific keys for data infiltration. This sophisticated technique, coupled with StormBamboo’s proficiency in exploiting ISPs and multiple platforms, highlights the threat posed by these skilled threat actors.
The incident serves as a stark reminder of the importance of building a robust security framework, even with limited resources. It is essential for IT security teams to remain vigilant, continuously update their defenses, and adopt proactive security measures to defend against increasingly complex cyber threats.