Software updates should always enhance your PC’s efficiency, but the recent breach of an ISP has demonstrated quite the opposite.

This recent compromise appears to have been exploited by StormBamboo, a collection of Chinese threat actors who have been causing digital chaos since 2012. The attack was made possible after StormBamboo breached the defenses of an undisclosed ISP. This allowed StormBamboo to take control of the ISP’s traffic and redirect it for their own malicious gains.

If you’re accessing the internet, even if it’s only for basic email and browsing usage, your business is going to be partnered with an ISP. And this attack by StormBamboo tells a cautionary tale of how you always need to be on your guard.

StormBamboo’s Innovative Attack

Having gained unauthorized access to the ISPs servers, StormBamboo was able to intercept and compromise DNS requests from users of that ISP. A DNS request is a query to provide an IP address for a host name – e.g. en.wikipedia.org. An ISP will provide this IP address and allow the user to visit the required webpage.

However, StormBamboo was able to manipulate these DNS requests and, instead of the legitimate IP address, provide a malicious alternative. No action was required from the end user, and they would be transferred to a malicious domain automatically. In particular, StormBamboo focused on poisoning DNS requests for software updates. These updates were insecure as they were found to not validate digital signatures for security purposes.

As a result of these compromises, StormBamboo was able to deceive victims into downloading malware such as Macma (for MacOS machines) and Pocostick (for Windows devices). For example, users of 5KPlayer, a media player, were redirected to a malicious IP address rather than fetching a specific YouTube dependency. This led to a backdoor malware being installed on affected systems. StormBamboo was then observed to install ReloadText, a malicious Chrome extension used to steal mail data and browser cookies.

Staying Safe from StormBamboo

The attacks carried out by StormBamboo appear to have been active during 2023 and were identified by Volexity, a reputable cybersecurity organization. Volexity’s first step was to get in touch with the ISP and identify the traffic-routing devices which were being compromised. This allowed the ISP to reboot its servers and instantly stop the ISP poisoning. Users of the ISP, therefore, were no longer at risk of being exposed to malware. Further advice on eliminating this specific threat can be found on Volexity’s blog.

Nonetheless, businesses are reminded to remain mindful about malicious activity on their networks. Implementing robust security measures, conducting regular vulnerability assessments, and monitoring network traffic for unusual patterns are all crucial. Additionally, employing advanced threat detection tools and training employees on cybersecurity best practices will further strengthen your defenses. Finally, never forget the importance of keeping software and systems updated with official patches, firmware, and updates.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Linus Sebastian, owner of popular YouTube channel Linus Tech Tips, has revealed how he woke at 3am in the morning to find his channel hacked. 
 
Linus Tech Tips is a YouTube channel which delivers technology-based content to over 15 million subscribers. Driven by Sebastian’s passion for technology, the channel has been running for 15 years and proven to be wildly successful. So, not surprisingly, it made a tempting target for hackers. As well as Linus Tech Tips, two other channels associated with Sebastian – TechLinked and Techquickie – were also compromised in this attack. 
 
While your organization may not run a YouTube channel, the method in which Linus Tech Tips was hacked could be applied to any IT system. Therefore, it’s crucial that we learn about session hijacking. 

What Happened to Linus Tech Tips

Alarm bells started ringing for Sebastian when he was woken at 3am to reports of his channels being hacked. New videos had been loaded and were being streamed as live events. But, far from being productions sanctioned by Sebastian, they were rogue videos featuring crypto scam videos apparently endorsed by Elon Musk. 

Desperately, Sebastian repeatedly tried to change his passwords, but it made no difference; the videos continued to be streamed. Sebastian was equally puzzled as to why the associated 2FA processes hadn’t been activated. Eventually, he discovered the attack was the result of session hijacking. 

A member of Sebastian’s team had downloaded what appeared to be a PDF relating to a sponsorship deal, but the file was laced with malware. Not only did the malware start stealing data, but it also retrieved session tokens. You may not be familiar with session tokens but, effectively, these are the authorization files which keep you logged into websites. So, when you return to that website, you don’t have to re-enter your login credentials each time. Unfortunately, for Sebastian, it gave the threat actors full and unauthorized access to his YouTube channels. 

How Do You Prevent Session Hijacking? 

Once it had been established that compromised session tokens were behind the breach, YouTube was able to swiftly secure Sebastian’s channels. Nonetheless, the ease with which the threat actors managed to bypass login credentials and 2FA is troubling. This means it’s vital you follow these best practices to protect against session hijacking: 

  • Understand what malware is: the attack on Linus Tech Tips was the result of malware and social engineering combining to deliver a sucker punch. Accordingly, educating your staff through comprehensive and regular refresher courses should be a priority. This will allow your staff to identify threats before they are activated and protect your IT systems from being compromised. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 


Read More