In brief: Last year, Volexity detected and responded to an incident involving systems infected with malware linked to the Chinese hacking group StormBamboo. Initially, suspicions pointed to a compromised firewall, but further investigation revealed that the DNS poisoning occurred at the ISP level. This attack, like many modern cyber threats, was highly sophisticated and underscores the importance of securing software update processes.
In a new revelation, security researchers at Volexity report a sophisticated cyber attack orchestrated by the Chinese hacking group StormBamboo. The attack, detected in mid-2023, involved the compromise of an internet service provider to launch widespread DNS poisoning attacks against multiple organizations. By exploiting vulnerabilities in automatic software update processes, StormBamboo successfully installed malware on both macOS and Windows systems, demonstrating a concerning level of versatility and reach.
StormBamboo was able to alter DNS query responses for specific domains tied to automatic software updates by targeting applications that use insecure update mechanisms, such as HTTP, and fail to properly validate digital signatures. By exploiting these vulnerabilities, StormBamboo was able to redirect update requests to their own servers, where they installed malware instead of legitimate updates.
When the ISP investigated the issue, it took various network components offline and the DNS poisoning immediately stopped, revealing the attack’s dependence on the compromised infrastructure.
Perhaps most striking was the attack’s capability to intercept and modify DNS queries, even when users relied on public DNS services like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1. This ability to bypass widely trusted DNS services underscores the remarkable sophistication of StormBamboo’s operation.
“That is the fun/scary part – this was not the hack of the ISP’s DNS servers,” Volexity CEO Steven Adair told Ars Technica. “This was a compromise of network infrastructure for Internet traffic.”
StormBamboo deployed several malware families, including new variants of MACMA for macOS and POCOSTICK (also known as MGBot) for Windows. The latest version of MACMA shows significant code similarities to the GIMMICK malware family, suggesting the two might have converged.
In one case, following the compromise of a macOS device, StormBamboo deployed a malicious Google Chrome extension called RELOADEXT. This extension, disguised as a tool for loading pages in Internet Explorer compatibility mode, actually exfiltrated browser cookies to an attacker-controlled Google Drive account.
To protect against similar attacks, organizations should implement HTTPS for all software update processes, regularly audit and update network infrastructure, use robust digital signature verification for updates, monitor for unusual DNS activity, and employ network security monitoring tools capable of detecting DNS poisoning attempts.
While Volexity did not indicate whether this specific form of attack was occurring today, DNS attacks in general continue to be a major concern for organizations around the world. In Q1 of 2024 alone, there were 1.5 million DNS DDoS attacks reported. Multiple forms of DNS attacks are currently active, including DNS spoofing, cache poisoning, DDoS attacks on DNS servers, DNS hijacking, and DNS-based malware distribution. Meanwhile, new types of DNS attacks are also emerging.
One example is DNS amplification attacks, a type of DDoS attack that exploits vulnerabilities in DNS servers to overwhelm a target system with a flood of traffic. These attacks saw a 117% year-over-year increase in Q4 2023.
