Security researchers have identified StormBamboo, also known as Daggerfly and Evasive Panda [9], as a China-linked APT group responsible for compromising an ISP through a supply chain attack involving DNS poisoning.
Description
The group exploited insecure software update mechanisms to deliver MACMA and POCOSTICK (MGBot) malware to macOS and Windows systems. Additionally, they distributed a backdoored installer through a youtube-dl dependency update from 5KPlayer requests and installed a malicious Google Chrome extension called RELOADEXT to exfiltrate browser cookies and email data [9]. Volexity intervened in the incidents involving infected systems, prompting the ISP to reboot key network components and halt the attacks. StormBamboo has a history of targeting organizations globally [4], with recent attacks observed in Taiwan and the US [4]. The group hijacked the ISP to push infected updates by altering DNS query responses tied to automatic update mechanisms [2]. Volexity detected the StormBamboo campaign in mid-2023 [2], with the attack vector resembling a previous campaign attributed to DriftingBamboo [2]. DNS poisoning was initially suspected at the target infrastructure level but was later found to be occurring at the ISP level [2]. Once the ISP was notified [2], they took steps to stop the DNS poisoning [2]. StormBamboo redirected HTTP requests to a C2 server to supply forged text files and malware installers [2], including MACMA and POCOSTICK [2] [5] [6] [7] [8] [10]. This incident underscores the risks associated with insecure network communications and automated processes, as well as the potential for attackers to compromise downstream targets through compromised infrastructure [1]. In April 2023 [8], StormBamboo targeted an international NGO in China with malicious updates [8], although the delivery method remains unclear. ESET researchers were unable to determine if the updates were delivered through supply-chain compromise or adversary-in-the-middle attacks [8]. Volexity researchers later discovered that StormBamboo altered DNS query responses for specific domains tied to insecure software update mechanisms [8] [10], leading to the installation of malware like MACMA and POCOSTICK [8] [10]. After compromising systems with backdoors [8], the attackers deployed a Google Chrome extension to exfiltrate browser cookies to a Google Drive account [5] [8]. DNS poisoning was detected at the ISP level [7] [8] [10], and when the ISP took components of the network offline [8], the DNS poisoning stopped [1] [3] [4] [5] [6] [7] [8] [10]. StormBamboo exploited legitimate software programs [3], such as 5KPlayer [3] [7], to deliver malware through the ISP hijacking [3]. The distributed malware included MACMA and MGBot [3], enabling remote access to compromised systems [3]. Volexity suspects a Linux-based malware called CATCHDNS may have been used in the attack [3].
Conclusion
This incident highlights the importance of secure network communications and the potential risks associated with automated processes. It also underscores the need for organizations to remain vigilant against supply chain attacks and the compromise of downstream targets through vulnerable infrastructure. Moving forward, it is crucial for organizations to implement robust security measures to protect against similar threats in the future.
References
[1] https://www.tomshardware.com/tech-industry/cyber-security/chinese-hacker-group-stormbamboo-successfully-hijacked-an-isps-automatic-software-updates-with-backdoor-malware-and-bad-chrome-extensions-to-breach-a-downstream-target
[2] https://www.techradar.com/pro/chinese-hackers-hijacked-an-isp-software-update-to-spread-malware
[3] https://uk.pcmag.com/security/153696/chinese-hacking-group-compromised-an-isp-to-spread-malware
[4] https://duo.com/decipher/chinese-threat-group-compromised-isp-to-deliver-malware
[5] https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/
[6] https://www.infosecurity-magazine.com/news/apt-stormbamboo-isp-dns-poisoning/
[7] https://securityaffairs.com/166552/apt/stormbamboo-compromised-isp-malware.html
[8] https://www.helpnetsecurity.com/2024/08/05/compromised-isp-dns-malware/
[9] https://www.scmagazine.com/brief/malware-distributed-through-isp-compromise
[10] https://cyber.vumetric.com/security-news/2024/08/05/chinese-hackers-compromised-an-isp-to-deliver-malicious-software-updates/
