Hackers breach ISP to poison software updates with malware

A Chinese hacking group known as StormBamboo has breached an undisclosed internet service provider (ISP) to inject malware into automatic software updates. This group, also referred to as Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012, targeting various organizations across Asia and Africa. Volexity researchers reported that the hackers exploited insecure HTTP update mechanisms that failed to validate digital signatures, allowing them to deliver malware to victims' Windows and macOS devices. By intercepting and modifying DNS requests, the attackers redirected update requests to their command-and-control servers, resulting in the installation of malware such as MACMA and POCOSTICK without user interaction. For example, they compromised requests for the 5KPlayer application to push a backdoored installer. After gaining access to the systems, the hackers installed a malicious Google Chrome extension to steal browser cookies and email data. Volexity worked with the ISP to investigate the breach, leading to the cessation of the DNS poisoning after the ISP rebooted key network components. Previous incidents involving StormBamboo included attacks on international NGOs using the Tencent QQ messaging application and targeting organizations in Taiwan and an American NGO in China with new malware variants. The researchers noted that the attacks could be classified as supply chain or adversary-in-the-middle attacks, although the exact methods remain unclear.