Chinese hacker group StormBamboo, aka Evasive Panda, has hacked an Internet service provider and started infecting its subscribers’ computers with malware, cybersecurity experts from the company have discovered. Volexityinvestigating the hacking of a certain organization’s resources.
Volexity initially assumed that the organization’s firewall had been compromised, but further investigation revealed that the malware originated “upstream at the ISP level.” The source of the problem was “DNS poisoning,” an attack in which a hacker manipulates the domain name system and redirects user traffic to malicious resources.
Volexity notified the provider of the problem, and the latter examined the operation of the equipment that routes traffic in the network – the provider rebooted and disabled some network components, after which the symptoms of DNS poisoning ceased. Experts placed responsibility for the attack on the Chinese hacker group StormBamboo, also known as Evasive Panda.
Having taken control of the DNS system in the provider’s network, the attackers replaced the resources that user programs access for updates – in particular, the free media player 5KPlayer. When applications tried to get updates, they received malware packages instead. The StormBamboo hackers applied this attack scheme to several software products that use insecure update mechanisms.
Volexity did not name the ISP or the number of computers affected by the attack, but said it was “multiple incidents” dating back to mid-2023. The victims’ computers were running Windows and macOS, and the malware included MACMA and MGBot, which allow attackers to remotely take screenshots, intercept keystrokes, and steal files and passwords. The attack on the ISP’s resources allegedly involved the use of CATCHDNS malware, which is designed to run on Linux.
If you notice an error, select it with your mouse and press CTRL+ENTER.