In a disturbing incident, a Chinese hacking group infiltrated an internet service provider to help them spread malware to target computers. The findings come from the cybersecurity firm Volexity. While investigating a hack at an unnamed organization, the company’s researchers discovered a malware infection.“Initially, Volexity suspected the initial victim organization’s firewall may have been compromised,” the cybersecurity firm said in a Friday report. But eventually, the investigation traced the malware “further upstream at the ISP level” to a DNS poisoning attack, or where the hacker manipulates the Domain Name System to redirect user internet traffic to a malicious website. “Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped,” Volexity said. The cybersecurity firm is blaming the incident on a Chinese hacking group called StormBamboo, also known as Evasive Panda. To deliver the malware through the ISP hijacking, the group exploited how legitimate software programs can routinely fetch automate updates from the web. These programs will do so by performing an HTTP request to communicate with the correct internet domain.According to Volexity, StormBamboo abused this mechanism to manipulate the ISP into redirecting the HTTP requests to fetch malware from a hacker-controlled server. One of the programs targeted included a free media player known as a 5KPlayer.
(Volexity)
“Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware,” the cybersecurity firm added. “Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware.”
Recommended by Our Editors
Volexity didn’t name the ISP or how many user computers may have been targeted. But in the company’s report, the cybersecurity firm said it detected and responded to “multiple incidents involving systems becoming infected with malware linked to StormBamboo” during mid-2023. This includes the hackers distributing malware for both Windows and macOS systems across victim organizations. The distributed malware, included MACMA and MGBot, which have been known to be quite powerful, enabling a hacker to remotely take screen shots, capture keystrokes and steal files and passwords. It’s unclear how the Chinese hackers infiltrated and secretly modified the ISP’s internet traffic. But Volexity suspects a Linux-based malware called CATCHDNS from StormBamboo may have been used to do so.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
