Cybersecurity experts recently exposed a severe digital attack by China’s APT entity, StormBamboo. The threat actor infiltrated an Internet service provider (ISP) and interfered with software update mechanisms, effectively distributing harmful updates laden with new variants of the Macma backdoor. This unprecedented attack has opened up numerous operational and security challenges for the affected businesses and their users.
The group manipulated DNS query responses tied to domains that deal with automated software updates and exploited the weakness in systems with unsecured update procedures. The aftermath saw many systems inadvertently installing malicious software from manipulated updates. This complication broadened the cybersecurity issues in the tech industry, creating a greater need for fortified security protocols.
StormBamboo primarily targeted software with insecure update procedures. The software was often those not thoroughly checking the authenticity of digital signatures. As a result, instead of legitimate updates, systems inadvertently received harmful software like Macma and Pocostick, also known as MGBot, installing them in place of routine updates. This successful manipulation underlines the importance of a secure digital environment to combat such malign activities.
The researchers investigating the case found that the StormBamboo group developed the Macma and Pocostick malware simultaneously.
StormBamboo’s cyber attack on software updates
Alongside, they initiated post-exploitation activities like introducing a suspicious browser extension, Reloadext, with the intention to steal users’ email and financial data. The StormBamboo also tried to gain control of the victims’ email accounts using the same extension.
The primary attack strategy of the group included ‘DNS poisoning’ to infiltrate users’ systems. They manipulated DNS records to redirect network communications towards servers under their control. A server based out of Hong Kong acted as the base for StormBamboo to launch these harmful updates and effectively infiltrate various systems worldwide.
Software vendors especially those with unsecured update processes bore the brunt of this cyber attack. StormBamboo successfully infiltrated businesses by exploiting inherent weaknesses in unsecured software update mechanisms. Their sophisticated methods posed a significant challenge in timely threat detection and created an immediate need for software vendors to bolster their defensive capabilities.
Post this revelation, Volexity partnered with the targeted ISP to probe and halt the damaging activities. Owing to the risk presented by StormBamboo, the team at Volexity recommends ISPs to maintain constant vigilance for the prevention of similar future threats. This is to ensure secure infrastructures remain intact in anticipation of potential attacks.
