Windows and macOS machines alike have been hit by malware after notorious Chinese hacker group StormBamboo used a compromised internet service provider (ISP) to target organizations with poisoned DNS responses.
StormBamboo used altered DNS query responses tied to automatic update mechanisms to target organizations that used insecure update mechanisms that did not properly validate the digital signatures.
The organizations’ applications would then search for updates, but instead of retrieving the update from the official site, they would instead download malware.
MACMA and POCOSTICK attacks
The StormBamboo campaign was first detected by Volexity in mid-2023, however it took some time for the attack vector to be identified, but mirrors a similar infection vector as a previous campaign attributed to DriftingBamboo.
In one incident, Volexity suspected the DNS poisoning was occuring at the target infrastructure level, but subsequent investigation revealed that the poisoning was occuring at the ISP level. Once the ISP was notified, they methodically rebooted systems and took components of the network offline, which caused the DNS poisoning to stop.
In order to push their malware onto target systems, StormBamboo would use the poisoned DNS to redirect HTTP requests to a command-and-control (C2) server that would supply a forged text file and malware installer instead of the legitimate software update. The forged text file replaces the legitimate text-based file that would typically contain the latest application version and an installer link requested via HTTP. The malware pushed by StormBamboo included MACMA and POCOSTICK.
StormBamboo used varying methods of this attack vector to target software vendors using insecure update workflows. HTTPS uses encryption and digital signatures to verify the authenticity of requests, making it far more secure than HTTP. Volexity provided guidance on defending against this particular attack vector, including a link to a set of rules used for detecting malicious activity, and and IOC block list.
More from TechRadar Pro
https://cdn.mos.cms.futurecdn.net/YfobyrBHvC9MtWx2WRvMy5-1200-80.jpg
Source link
benedict.collins@futurenet.com (Benedict Collins)
