A Chinese hacking group, known as StormBamboo, has compromised an internet service provider (ISP) to distribute malware through automatic software updates. This cyber-espionage group, also called Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012, targeting organizations in China, Hong Kong, Macao, Nigeria, and various countries in Southeast and East Asia.
On Friday, cybersecurity researchers from Volexity revealed that StormBamboo exploited insecure software update mechanisms that did not verify digital signatures. This allowed the group to deploy malware on Windows and macOS devices instead of the intended updates.
They did this by intercepting and modifying DNS requests, directing them to malicious IP addresses. This method delivered malware from their command-and-control servers without needing user interaction.
“Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware. Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped,” the researchers added.
For example, StormBamboo used 5KPlayer update requests to pus
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: