August 3, 2024 at 03:41PM
The Chinese hacking group StormBamboo, also known as Evasive Panda, Daggerfly, and StormCloud, has compromised an internet service provider to inject malware into automatic software updates, targeting organizations across various countries. They exploited insecure HTTP software update mechanisms, deploying malware onto victims’ devices without user interaction. They also targeted software vendors and NGOs in supply chain attacks or adversary-in-the-middle attacks.
Based on the provided meeting notes, the following key takeaways can be identified:
1. The Chinese hacking group known as StormBamboo, also tracked as Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012 and has targeted organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.
2. The group compromised an undisclosed internet service provider to poison automatic software updates with malware, exploiting insecure HTTP software update mechanisms that didn’t validate digital signatures to deploy malware payloads on victims’ Windows and macOS devices.
3. StormBamboo intercepted and modified victims’ DNS requests, poisoning them with malicious IP addresses, to deliver the malware to the targets’ systems from their command-and-control servers without requiring user interaction, and targeted multiple software vendors using insecure update workflows.
4. The threat actors installed a malicious Google Chrome extension (ReloadText) after compromising the target’s systems, allowing them to harvest and steal browser cookies and mail data.
5. The group has been observed deploying various malware versions targeting international NGOs and organizations, such as the Pocostick (MGBot) Windows backdoor and the Macma macOS backdoor.
This summary provides a clear understanding of the activities and tactics employed by the StormBamboo hacking group, their targets, and the methods used to compromise systems and deploy malware.