A sophisticated hacking group by the name of StormBamboo has successfully compromised an internet service provider (ISP) to launch a DNS poisoning attack, targeting organizations through insecure software update mechanisms. This attack, detected by security researchers in mid-2023, exploits vulnerabilities in automatic update processes to install malware on both macOS and Windows systems.
StormBamboo DNS Poisoning Attack Vector
StormBamboo’s method involves altering DNS query responses for specific domains tied to automatic software updates. By targeting applications that use insecure update mechanisms, such as HTTP, and don’t properly validate digital signatures, the group redirects update requests to their own servers. This results in the installation of malware instead of legitimate updates.
Cybersecurity firm Volexity confirmed that the DNS poisoning occurred at the ISP level, not within the target organization’s infrastructure.
The poisoned DNS records resolved to an attacker-controlled server in Hong Kong. When the ISP finally investigated and took various network components offline, the DNS poisoning immediately stopped.
This attack bears similarities to a previous incident attributed to DriftingBamboo, another threat actor possibly related to StormBamboo. Both groups have used DNS poisoning to facilitate initial access to target networks.
Malware Deployment and Post-Exploitation Activity
StormBamboo deployed several malware families, including new variants of MACMA for macOS and POCOSTICK (also known as MGBot) for Windows. The latest version of MACMA shows significant code similarities to the GIMMICK malware family, suggesting a convergence in their development.
In one case, following the compromise of a macOS device, StormBamboo deployed a malicious Google Chrome extension called RELOADEXT. This extension, disguised as a tool for loading pages in Internet Explorer compatibility mode, actually exfiltrates browser cookies to an attacker-controlled Google Drive account.
The extension also contained obfuscated JavaScript code that was used to exfiltrate data to the attacker’s Google Drive account. The data was encrypted using AES with the key opizmxn!@309asdf and encoded with base64 prior to exfiltration.
This incident highlights the vulnerability of software that relies on insecure update mechanisms. It also demonstrates the sophisticated tactics employed by threat actors like StormBamboo, who can compromise third-party infrastructure to reach their intended targets.
To protect against attacks similar to StormBamboo, organizations should:
- Implement and enforce the use of HTTPS for all software update processes.
- Regularly audit and update network infrastructure, especially DNS-related components.
- Use robust digital signature verification for all software updates.
- Monitor for unusual DNS activity and unexplained changes in DNS responses.
- Employ network security monitoring tools capable of detecting DNS poisoning attempts.
The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested in actively supported payloads for not only macOS and Windows, but also network appliances.