Hackers Hijacked ISP Service Provider To Poison Software Updates

⁤Hackers often attack ISP service providers for several illicit purposes. The most significant ones are disrupting internet services, stealing sensitive data, and many more. 

⁤Besides this, such compromise also provides hackers with control over a vast number of connected devices, which significantly impacts the malicious activities of the threat actors positively. ⁤

Volexity discovered StormBamboo’s (aka Evasive Panda, StormCloud) advanced ISP-level DNS poisoning attack method in mid-2023. Now, they have identified hackers who hijacked the ISP service provider to poison software updates.

Hackers Hijacked ISP

The actor capitalized on security flaws in software update mechanisms, particularly those using unsecured HTTP connections without appropriate digital signature verification.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

StormBamboo hijacked DNS responses for some domains used for automatic updates so that users were directed to malicious downloads rather than legitimate software updates.

As a result of this strategy, Windows and macOS systems at several companies got infected by different types of malware such as MACMA and POCOSTICK (also known as MGBot).

This attack came with a hidden entry point, which highlighted the importance of robustness in DNS infrastructure safeguarding and secure update procedures.

In this sophisticated attack, StormBamboo utilized ISP-level DNS poisoning. Legitimate update requests were redirected to a malicious server in Hong Kong (103.96.130[.]107) after the threat actor compromised DNS responses.

HTTP-based update mechanisms of different software apps, especially the YoutubeDL component in 5KPlayer, could be exploited with this method.

StormBamboo inserted malicious codes into fake-looking updates that on execution infected systems with advanced malware like MACMA for macOS and POCOSTICK for Windows operating system.

This technique did not need any user intervention; consequently, it was extremely dangerous.

This attack’s complexity surpassed the previous instances such as CATCHDNS incidents revealing notable developments in both malware capabilities and attack methods.

This event demonstrates how crucial it is to ensure secure software upgrade processes, have sturdy DNS infrastructure protection, and remain vigilant against increasingly complex cyber threats.

Among the devices that were infected macOS and had been compromised, researchers saw StormBamboo using a complex dangerous extension for Chrome named as “RELOADEXT.”

Through a custom binary installer (hash: ee28b3137d65d74c0234eea35fa536af) which altered the Secure Preferences file of the browser which helped in bypassing tamper protection features of Chrome.

The extension was hidden within a folder in this path $HOME/Library/Application Support/Google/Chrome/Default/Default/CustomPlug1n/Reload/, making it look like an Internet Explorer compatibility tool.

Its main purpose which was rearranged using Obfuscator[.]io was to exfiltrate browser cookies to a Google Drive account that is under the attacker’s control.

RELOADEXT utilized multiple layers of encryption, with AES being employed internally for its logic and “chrome extension” as the key, while for data being infiltrated, “opizmxn!@309asdf” is used.

This technique, together with StormBamboo’s proven ability to exploit ISPs and various platforms, displays how skillful these actors are in breaching their target networks.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide