How Chinese Attackers Breached an ISP to Poison Insecure Software Updates with Malware

An anonymous reader shared this report from BleepingComputer: A Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware. Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.

On Friday, Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn't validate digital signatures to deploy malware payloads on victims' Windows and macOS devices... To do that, the attackers intercepted and modified victims' DNS requests and poisoned them with malicious IP addresses. This delivered the malware to the targets' systems from StormBamboo's command-and-control servers without requiring user interaction.
Volexity's blog post says they observed StormBamboo "targeting multiple software vendors, who use insecure update workflows..." and then "notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped."

BleepingComputer notes that "âAfter compromising the target's systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data."

All that effort to distribute malware

[Rosco P. Coltrane]

when all they had to do was run ads on Google [tomsguide.com]?

Shock, shock horror, horror, shock, shock horror

[Anonymous Coward]

Shock, shock horror, horror, shock, shock horror

Maybe we should investigate "man in middle" attack

[drnb]

Shock, shock horror, horror, shock, shock horror

Maybe we should have security experts begin to study these "man in the middle" attacks and develop countermeasures, maybe digitally sign patches or something? :-)

Which means the updates have crappy security

[gweihir]

Updates done right come with cryptographic signatures. That means, among other things, that compromising an ISP does not help to compromise the supply chain. Apparently there are still too many crappy software makers that do not get it.

Re:

[dskoll]

Debian's only been doing signed Release files since 2007, so maybe the tech is too new and experimental.

/s

Re:

[gweihir]

With Microsoft and suppliers in their area being 20-30 years behind on engineering? Probably.

Chief reasons why I don't like auti updates.

[Malay2bowman]

Because you don't know who really has control of the server, or who might be spoofing said server. I am not going to willingly give control to the nebula (let's call it what it is) because you don't really know what's inside that nebula. I'm glad the right to repair movement and such is gaining traction, and hopefully this will put an end to companies monstering updates onto people's devices.

What is the sloppy software?

[Uldis Segliņš]

Why are the highly skilled journalists not revealing what was the "insecure HTTP software", that had the issue? I'm pretty sure I would try to avoid using such. Journalists are there to get such names known so people can choose to be better off.

Yeah, right. Vault7 is all fake, I suppose.

[dwater]

The cia make their haching look like anyone else did it.

DNSSEC people deploy it for your DNS

[johnjones]

we know that its trival to hack BGP sessions thats why we have PKI for BGP and most understand that... filter your hosts but come on DNS for gov websites such as tax should have DNSSEC and so should google and Microsoft !

get on it sign the zone

Chinese Hacking group

[Deal In One]

Targeting China?

That seems very unusual.