Security News > 2024 > August > Chinese hackers compromised an ISP to deliver malicious software updates
APT StormBamboo compromised a undisclosed internet service provider to poison DNS queries and thus deliver malware to target organizations, Volexity researchers have shared.
In April 2023, ESET researchers documented the threat actor targeting an international NGO in China with malicious updates, but weren't able to pinpoint whether these updates were delivered through supply-chain compromise or adversary-in-the-middle attacks.
While responding to incidents in which malware that points to StormBamboo's involvement has been used, Volexity researchers determined that the group was altering DNS query responses for specific domains tied to automatic software update mechanisms.
"StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers. Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK.".
After discovering the malicious updates, Volexity incident responders first suspected a compromise of the victim organization's firewall, but soon found that the DNS poisoning was being performed further upstream at the ISP level.
While Volexity did not discover how the DNS entries were modified on the compromised device(s) operated by the ISP, they say that CATCHDNS - malware that can intercept DNS and HTTP requests and has been previously used by another Chinese-speaking threat actor - might have been leveraged in these attacks.
News URL
https://www.helpnetsecurity.com/2024/08/05/compromised-isp-dns-malware/
Related news
- US says Chinese hackers breached multiple telecom providers (source)
- Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Sophos reveals 5-year battle with Chinese hackers attacking network devices (source)
- Sophos Versus the Chinese Hackers (source)
- FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Chinese hackers target Linux with new WolfsBane malware (source)
- Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries (source)