Chinese hacker group StormBamboo successfully hijacked an ISP’s automatic software updates with backdoor malware and bad Chrome extensions to breach a downstream target

[Pelican Press 0]

This is the hidden content, please

• Sign In
• or
• Sign Up

******** hacker group StormBamboo successfully hijacked an ISP’s automatic software updates with ********* malware and bad Chrome extensions to breach a downstream target

data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///ywAAAAAAQABAAACAUwAOw==

Prominent ******** hacker group StormBamboo (alternately known as StormCloud or Evasive Panda) successfully compromised an ISP and several MacOS and Windows devices on those networks reports cybersecurity organization

This is the hidden content, please

• Sign In
• or
• Sign Up

. Specifically, insecure protocols like HTTP were hijacked to alter DNS query responses and supplement intended automatic software updates with MACMA (MacOS-targeted malware) and MGBot/POCOSTICK (Windows-targeted malware), as well as subsequent malicious

This is the hidden content, please

• Sign In
• or
• Sign Up

Chrome extension installation.

This is the gist of the ******* and how it happened, but what are the greater takeaways from this story? One key piece of the puzzle is recognizing just how disastrously insecure non-encrypted network communications can be, particularly when used in key infrastructure. While encryption does not itself guarantee security, it’s orders of magnitude better than having none at all. Using basic HTTP instead of HTTPS would be harmless to most users, but in this case it snowballed into providing attackers full control of impacted ISP infrastructure to ******* the intended downstream target.

Once a device is breached, even software and processes thought to be secured — like the market-leading

This is the hidden content, please

• Sign In
• or
• Sign Up

Chrome browser — can be effectively poisoned against users with no real recourse on the side of the final target, particularly if they don’t even notice that anything is amiss. The malicious extension used here is called RELOADEXT, which modifies a “Secure Preferences” file to allow browser cookies (including secured info) to be sent to a third party, now encrypted by the attacker.

Attacks like these also speak to the inherent danger introduced by automated processes, particularly unsecured automated processes. It isn’t enough to have the infrastructure in place for automatic software updates, or is it enough to verify that those automatic software updates are (apparently) functioning. 

As proven by StormBamboo, automated infrastructure can still function as intended while hijacked to deliver more than just the intended software updating tasks. While this doesn’t mean automated software updates are inherently a bad thing, it shows that failing to secure this process is negligent at best, particularly when networking key infrastructure (a la an ISP) downstream from which several otherwise-secured targets can be jeopardized.

In Volexity’s initial overview of this breach, it seemed that the victim organization’s firewall had simply been breached. Most would assume that breaches like this would be, to some extent, the “fault” (or at least innocent mistake of) the victim organization in question. Instead, by DNS poisoning the ISP servicing the target, StormBamboo was effectively able to compromise the target without even needing to rely on end-user error, as it has in previous attacks.

Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.

This is the hidden content, please

• Sign In
• or
• Sign Up

#******** #hacker #group #StormBamboo #successfully #hijacked #ISPs #automatic #software #updates #********* #malware #bad #Chrome #extensions #breach #downstream #target

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up

For verified travel tips and real support, visit: https://hopzone.eu/