StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms
Aug. 5, 2024, 11:35 a.m.
Description
Volexity detected and responded to multiple incidents involving systems infected with malware linked to StormBamboo, a threat actor known for compromising internet service providers (ISPs) and leveraging DNS poisoning to redirect software update traffic to attacker-controlled servers hosting malicious payloads. The threat actor abused insecure software update mechanisms that used HTTP, enabling them to surreptitiously install malware including new variants of MACMA and POCOSTICK on victim machines running macOS and Windows. Post-exploitation activities involved deploying a malicious browser extension to exfiltrate victim email data. The incidents highlight StormBamboo's sophisticated tactics and the risks posed by insecure update mechanisms.
Date
| Published | Created | Modified |
|---|---|---|
| Aug. 5, 2024, 11:29 a.m. | Aug. 5, 2024, 11:29 a.m. | Aug. 5, 2024, 11:35 a.m. |
Attack Patterns
RELOADEXT
POCOSTICK
DazzleSpy
OSX.CDDS
MacMa - S1016
StormBamboo
T1558.003
T1553.003
T1557.001
T1194
T1207
T1078.001
T1583.001
T1059.006
T1574.002
T1059.007
T1059.004
T1056.001
T1199
T1071.001
T1195
CVE-2024-3400