Security researchers have uncovered a sophisticated supply chain attack campaign stemming from the compromise of an unnamed ISP.
Volexity said the China-aligned StormBamboo (aka Evasive Panda, Daggerfly, StormCloud) group used its foothold in the ISP to launch DNS poisoning attacks against selected customers.
“Volexity determined that StormBamboo was altering DNS query responses for specific domains tied to automatic software update mechanisms. StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers,” it explained.
“Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK (aka MGBot).”
MACMA is macOS backdoor malware while MGBot works on Windows systems.
Read more on DNS-based attacks: 72% of Organizations Experienced a DNS Attack in the Past Year
The group targeted multiple vendors who use insecure update workflows in this way, including media player software 5KPlayer. It would redirect the legitimate HTTP update request from the application to a command-and-control server under its control hosting a forged text file and malicious installer, Volexity explained.
On one occasion, the researchers observed StormBamboo deploying a malicious Chrome extension on a compromised victim’s machine. It was designed to exfiltrate browser cookies to a Google Drive account under the group’s control.
Fortunately, Volexity notified the ISP in question, which investigated devices providing traffic-routing services on its network.
“As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped,” said Volexity. “During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased.”