Security News > 2024 > August > Chinese hackers compromised an ISP to deliver malicious software updates

APT StormBamboo compromised a undisclosed internet service provider to poison DNS queries and thus deliver malware to target organizations, Volexity researchers have shared.

In April 2023, ESET researchers documented the threat actor targeting an international NGO in China with malicious updates, but weren't able to pinpoint whether these updates were delivered through supply-chain compromise or adversary-in-the-middle attacks.

While responding to incidents in which malware that points to StormBamboo's involvement has been used, Volexity researchers determined that the group was altering DNS query responses for specific domains tied to automatic software update mechanisms.

"StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers. Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK.".

After discovering the malicious updates, Volexity incident responders first suspected a compromise of the victim organization's firewall, but soon found that the DNS poisoning was being performed further upstream at the ISP level.

While Volexity did not discover how the DNS entries were modified on the compromised device(s) operated by the ISP, they say that CATCHDNS - malware that can intercept DNS and HTTP requests and has been previously used by another Chinese-speaking threat actor - might have been leveraged in these attacks.

News URL

https://www.helpnetsecurity.com/2024/08/05/compromised-isp-dns-malware/