The cyber espionage group dubbed Evasive Panda (also known as StormBamboo and previously tracked as StromCloud) compromised an unnamed Internet Service Provider (ISP) in mid-2023 to push malicious software updates to target entities.
This incident marks a significant escalation in the sophistication of the group’s tactics.
StormBamboo, active since at least 2012, is known for using backdoors like MgBot (also known as POCOSTICK) and Nightdoor (NetMM and Suzafk) to collect sensitive information. The group has recently been linked to the macOS malware strain MACMA, observed in the wild since 2021.
“StormBamboo is a highly skilled and aggressive threat actor who compromises third parties (in this case, an ISP) to breach intended targets,” Volexity stated in a report last week. The report highlights the group’s extensive use of malware across macOS, Windows, and network appliances.
Using Watering Hole, Supply Chain Attacks
Recent reports from cybersecurity firms ESET and Symantec documented Evasive Panda’s use of MgBot and its history of conducting watering hole and supply chain attacks, particularly targeting Tibetan users. One notable incident involved targeting an international non-governmental organization (NGO) in Mainland China, using MgBot delivered via update channels of legitimate applications like Tencent QQ.
The malware’s infection vector was initially unclear but was later identified as a DNS poisoning attack at the ISP level. The attack leveraged insecure HTTP update mechanisms to deliver malware. Volexity’s researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster explained that StormBamboo poisoned DNS requests to redirect software update queries to attacker-controlled servers, resulting in the installation of malware such as MgBot or MACMA.
In one incident, Volexity discovered that DNS requests were poisoned to resolve to an attacker-controlled server in Hong Kong. The attack was sophisticated, with the DNS poisoning occurring upstream at the ISP level rather than within the target infrastructure. When the ISP rebooted and took network components offline, the DNS poisoning ceased, indicating the compromise was within the ISP’s infrastructure.
Volexity notified the affected ISP, which subsequently took steps to remediate the DNS poisoning attack. One instance of this attack also involved deploying a malicious Google Chrome extension on a victim’s macOS device. This extension, disguised as a compatibility mode tool for Internet Explorer, aimed to exfiltrate browser cookies to a Google Drive account controlled by the attackers.
The researchers said, “The attacker can intercept DNS requests and poison them with malicious IP addresses, and then use this technique to abuse automatic update mechanisms that use HTTP rather than HTTPS.”
To safeguard against attacks like this one, entities should:
- Mandate and enforce the use of HTTPS for all software update processes.
- Carry out regular audits and updates of network infrastructure, particularly DNS-related elements.
- Implement robust digital signature verification for all software updates.
- Monitor for unusual DNS activity and unexplained changes in DNS responses.
- Use network security monitoring tools capable of detecting DNS poisoning attempts.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.