Prominent Chinese hacker group StormBamboo (alternately known as StormCloud or Evasive Panda) successfully compromised an ISP and several MacOS and Windows devices on those networks reports cybersecurity organization Volexity. Specifically, insecure protocols like HTTP were hijacked to alter DNS query responses and supplement intended automatic software updates with MACMA (MacOS-targeted malware) and MGBot/POCOSTICK (Windows-targeted malware), as well as subsequent malicious Google Chrome extension installation.
This is the gist of the attack and how it happened, but what are the greater takeaways from this story? One key piece of the puzzle is recognizing just how disastrously insecure non-encrypted network communications can be, particularly when used in key infrastructure. While encryption does not itself guarantee security, it’s orders of magnitude better than having none at all. Using basic HTTP instead of HTTPS would be harmless to most users, but in this case it snowballed into providing attackers full control of impacted ISP infrastructure to attack the intended downstream target.
Once a device is breached, even software and processes thought to be secured — like the market-leading Google Chrome browser — can be effectively poisoned against users with no real recourse on the side of the final target, particularly if they don’t even notice that anything is amiss. The malicious extension used here is called RELOADEXT, which modifies a “Secure Preferences” file to allow browser cookies (including secured info) to be sent to a third party, now encrypted by the attacker.
Attacks like these also speak to the inherent danger introduced by automated processes, particularly unsecured automated processes. It isn’t enough to have the infrastructure in place for automatic software updates, or is it enough to verify that those automatic software updates are (apparently) functioning.
As proven by StormBamboo, automated infrastructure can still function as intended while hijacked to deliver more than just the intended software updating tasks. While this doesn’t mean automated software updates are inherently a bad thing, it shows that failing to secure this process is negligent at best, particularly when networking key infrastructure (a la an ISP) downstream from which several otherwise-secured targets can be jeopardized.
In Volexity’s initial overview of this breach, it seemed that the victim organization’s firewall had simply been breached. Most would assume that breaches like this would be, to some extent, the “fault” (or at least innocent mistake of) the victim organization in question. Instead, by DNS poisoning the ISP servicing the target, StormBamboo was effectively able to compromise the target without even needing to rely on end-user error, as it has in previous attacks.