Software updates should always enhance your PC’s efficiency, but the recent breach of an ISP has demonstrated quite the opposite.
This recent compromise appears to have been exploited by StormBamboo, a collection of Chinese threat actors who have been causing digital chaos since 2012. The attack was made possible after StormBamboo breached the defenses of an undisclosed ISP. This allowed StormBamboo to take control of the ISP’s traffic and redirect it for their own malicious gains.
If you’re accessing the internet, even if it’s only for basic email and browsing usage, your business is going to be partnered with an ISP. And this attack by StormBamboo tells a cautionary tale of how you always need to be on your guard.
StormBamboo’s Innovative Attack
Having gained unauthorized access to the ISPs servers, StormBamboo was able to intercept and compromise DNS requests from users of that ISP. A DNS request is a query to provide an IP address for a host name – e.g. en.wikipedia.org. An ISP will provide this IP address and allow the user to visit the required webpage.
However, StormBamboo was able to manipulate these DNS requests and, instead of the legitimate IP address, provide a malicious alternative. No action was required from the end user, and they would be transferred to a malicious domain automatically. In particular, StormBamboo focused on poisoning DNS requests for software updates. These updates were insecure as they were found to not validate digital signatures for security purposes.
As a result of these compromises, StormBamboo was able to deceive victims into downloading malware such as Macma (for MacOS machines) and Pocostick (for Windows devices). For example, users of 5KPlayer, a media player, were redirected to a malicious IP address rather than fetching a specific YouTube dependency. This led to a backdoor malware being installed on affected systems. StormBamboo was then observed to install ReloadText, a malicious Chrome extension used to steal mail data and browser cookies.
Staying Safe from StormBamboo
The attacks carried out by StormBamboo appear to have been active during 2023 and were identified by Volexity, a reputable cybersecurity organization. Volexity’s first step was to get in touch with the ISP and identify the traffic-routing devices which were being compromised. This allowed the ISP to reboot its servers and instantly stop the ISP poisoning. Users of the ISP, therefore, were no longer at risk of being exposed to malware. Further advice on eliminating this specific threat can be found on Volexity’s blog.
Nonetheless, businesses are reminded to remain mindful about malicious activity on their networks. Implementing robust security measures, conducting regular vulnerability assessments, and monitoring network traffic for unusual patterns are all crucial. Additionally, employing advanced threat detection tools and training employees on cybersecurity best practices will further strengthen your defenses. Finally, never forget the importance of keeping software and systems updated with official patches, firmware, and updates.
For more ways to secure and optimize your business technology, contact your local IT professionals.
