Security News > 2024 > August > Chinese hackers compromised an ISP to deliver malicious software updates

APT StormBamboo compromised a undisclosed internet service provider to poison DNS queries and thus deliver malware to target organizations, Volexity researchers have shared.
In April 2023, ESET researchers documented the threat actor targeting an international NGO in China with malicious updates, but weren't able to pinpoint whether these updates were delivered through supply-chain compromise or adversary-in-the-middle attacks.
While responding to incidents in which malware that points to StormBamboo's involvement has been used, Volexity researchers determined that the group was altering DNS query responses for specific domains tied to automatic software update mechanisms.
"StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers. Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK.".
After discovering the malicious updates, Volexity incident responders first suspected a compromise of the victim organization's firewall, but soon found that the DNS poisoning was being performed further upstream at the ISP level.
While Volexity did not discover how the DNS entries were modified on the compromised device(s) operated by the ISP, they say that CATCHDNS - malware that can intercept DNS and HTTP requests and has been previously used by another Chinese-speaking threat actor - might have been leveraged in these attacks.
News URL
https://www.helpnetsecurity.com/2024/08/05/compromised-isp-dns-malware/
Related news
- Chinese hackers breach more US telecoms via unpatched Cisco routers (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Chinese hackers abuse Microsoft APP-v tool to evade antivirus (source)
- Chinese hackers use custom malware to spy on US telecom networks (source)
- Belgium probes if Chinese hackers breached its intelligence service (source)
- Belgium probes if Chinese hackers breached its intelligence service (source)
- US charges Chinese hackers linked to critical infrastructure breaches (source)
- Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits (source)
- Chinese Weaver Ant hackers spied on telco network for 4 years (source)
- Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps (source)