Users are getting malware instead of software updates in ISP breach


A sophisticated Chinese cyber-espionage group, known as Evasive Panda or StormBamboo, successfully compromised an undisclosed internet service provider (ISP) to poison software updates to its users.

An incident investigation by Volexity revealed that hackers compromised the ISP's DNS service and altered query responses. DNS (Domain Name System) translates website addresses from human-readable form into IP addresses, which are then used to access servers.

So when users’ software tried to retrieve automatic updates, hackers directed them to a malicious server.

“Instead of installing the intended update, they would install malware. The DNS records were poisoned to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130[.]107.”

The investigation revealed that DNS tampering was performed at the ISP level. It is not clear how the attackers managed to gain access. The ISP rebooted and took various components offline to stop the malicious activity immediately, therefore it was unable to pinpoint a specific compromised device. The activity ceased after the components were updated.

Malicious actors are previously known to use DNS poisoning malware CATCHDNS, which can achieve similar goals in an ISP environment.

Poisoning software updates mark an increase in sophistication from a previous tactic by threat actors to modify the content of websites that users browsed. This required user interaction, such as clicking a popup asking to “update their browser.” Automatic software updates require no user interaction.

When the legitimate application tries to update, it performs a request and retrieves a text-based file containing the latest version and a link to the installer. Adversaries-in-the-middle abuse this design by redirecting the query to their server, hosting a forged file and malicious installer.

panda-scheme

Cybercriminals have exploited multiple software vendors that use insecure update workflows. For example, one video player automatically checks and downloads a new version each time the application is started.

The malicious payload contained MACMA (macOS) or POCOSTICK (Windows) malware. Attackers tried to exfiltrate browser cookies and other secrets.

Volexity warns that Evasive Panda is a highly skilled and aggressive threat actor who compromises third parties to breach intended targets.

“The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances,” the report concludes.