StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms

Aug. 5, 2024, 11:35 a.m.

Description

Volexity detected and responded to multiple incidents involving systems infected with malware linked to StormBamboo, a threat actor known for compromising internet service providers (ISPs) and leveraging DNS poisoning to redirect software update traffic to attacker-controlled servers hosting malicious payloads. The threat actor abused insecure software update mechanisms that used HTTP, enabling them to surreptitiously install malware including new variants of MACMA and POCOSTICK on victim machines running macOS and Windows. Post-exploitation activities involved deploying a malicious browser extension to exfiltrate victim email data. The incidents highlight StormBamboo's sophisticated tactics and the risks posed by insecure update mechanisms.

External References

https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/
https://otx.alienvault.com/pulse/66b0b7827198afc7407b35b2
Tags
malware
dazzlespy
macma
2024-08-05
reloadext
dns poisoning
osx.cdds
pocostick
insecure updates

Date

  • Created: Aug. 5, 2024, 11:29 a.m.
  • Published: Aug. 5, 2024, 11:29 a.m.
  • Modified: Aug. 5, 2024, 11:35 a.m.

Indicators

  • 103.96.130.107
  • 122.10.90.20
Download all indicators here!

Attack Patterns

  • RELOADEXT
  • POCOSTICK
  • DazzleSpy
  • OSX.CDDS
  • MacMa - S1016
  • StormBamboo

Linked vulnerabilities

CVE-2024-3400

None
Published: