Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Tom’s Hardware
Tom’s Hardware
Technology
Christopher Harper

Chinese hacker group StormBamboo successfully hijacked an ISP's automatic software updates with backdoor malware and bad Chrome extensions to breach a downstream target

Darkened bamboo forest.

Prominent Chinese hacker group StormBamboo (alternately known as StormCloud or Evasive Panda) successfully compromised an ISP and several MacOS and Windows devices on those networks, reports cybersecurity organization Volexity. Specifically, insecure protocols like HTTP were hijacked to alter DNS query responses and supplement intended automatic software updates with MACMA (MacOS-targeted malware) and MGBot/POCOSTICK (Windows-targeted malware), as well as subsequent malicious Google Chrome extension installation.

This is the gist of the attack and how it happened, but what are the greater takeaways from this story? One key piece of the puzzle is recognizing just how disastrously insecure non-encrypted network communications can be, particularly when used in key infrastructure. While encryption does not itself guarantee security, it's orders of magnitude better than having none at all. Using basic HTTP instead of HTTPS would be harmless to most users, but in this case it snowballed into providing attackers full control of impacted ISP infrastructure to attack the intended downstream target.

Once a device is breached, even software and processes thought to be secured — like the market-leading Google Chrome browser — can be effectively poisoned against users with no real recourse on the side of the final target, particularly if they don't even notice that anything is amiss. The malicious extension used here is called RELOADEXT, which modifies a "Secure Preferences" file to allow browser cookies (including secured info) to be sent to a third party, now encrypted by the attacker.

Attacks like these also speak to the inherent danger introduced by automated processes, particularly unsecured automated processes. It isn't enough to have the infrastructure in place for automatic software updates, or is it enough to verify that those automatic software updates are (apparently) functioning. 

As proven by StormBamboo, automated infrastructure can still function as intended while hijacked to deliver more than just the intended software updating tasks. While this doesn't mean automated software updates are inherently a bad thing, it shows that failing to secure this process is negligent at best, particularly when networking key infrastructure (a la an ISP) downstream from which several otherwise-secured targets can be jeopardized.

In Volexity's initial overview of this breach, it seemed that the victim organization's firewall had simply been breached. Most would assume that breaches like this would be, to some extent, the "fault" (or at least innocent mistake of) the victim organization in question. Instead, by DNS poisoning the ISP servicing the target, StormBamboo was effectively able to compromise the target without even needing to rely on end-user error, as it has in previous attacks.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.