In a recent cybersecurity breach, a group known as StormBamboo has orchestrated a DNS poisoning attack, targeting organizations through vulnerabilities in automatic software update mechanisms. Detected by security researchers in mid-2023, this attack takes advantage of insecure update processes to install malware on both macOS and Windows systems.
The modus operandi of StormBamboo involves manipulating DNS query responses for specific domains associated with automatic software updates. By focusing on applications that use insecure update mechanisms, such as HTTP, and fail to properly validate digital signatures, the group redirects update requests to their servers. Consequently, instead of receiving legitimate updates, users unwittingly install malware on their systems.
The tainted DNS records in this attack pointed to a server in Hong Kong under the control of the attackers. The ISP, upon investigation and shutting down various network components, managed to halt the DNS poisoning activity promptly. This incident bears resemblance to a previous occurrence attributed to DriftingBamboo, another threat actor potentially linked to StormBamboo, utilizing DNS poisoning for initial network access.
In terms of malware deployment and post-exploitation activities, StormBamboo introduced several malware families, including new versions of MACMA for macOS and POCOSTICK for Windows. The latest iteration of MACMA showcases significant code similarities with the GIMMICK malware family, indicating a convergence in their development.
In one instance, following the compromise of a macOS device, StormBamboo deployed a malicious Google Chrome extension named RELOADEXT. Disguised as a tool for loading pages in Internet Explorer compatibility mode, this extension actually extracts browser cookies to an attacker-controlled Google Drive account. Additionally, the extension contained obfuscated JavaScript code utilized for data exfiltration to the attacker’s Google Drive account, encrypted using AES with a specified key and encoded with base64 before transmission.
This incident underscores the risks associated with software reliant on insecure update mechanisms while highlighting the sophisticated tactics employed by threat actors like StormBamboo, who infiltrate third-party infrastructure to target their desired victims. To safeguard against similar attacks, organizations are advised to enforce the use of HTTPS for all software update processes, regularly audit and update network infrastructure (particularly DNS-related components), implement robust digital signature verification for software updates, monitor for unusual DNS activities and unexpected changes in DNS responses, and utilize network security monitoring tools capable of detecting DNS poisoning attempts.
The proliferation of malware utilized in various campaigns by this threat actor indicates substantial efforts dedicated to actively supporting payloads not only for macOS and Windows but also for network appliances, posing a significant challenge for cybersecurity professionals moving forward.