August 5, 2024 at 03:03PM
Researchers have uncovered a China-linked APT group’s attack on an ISP, employing DNS poisoning to compromise software update mechanisms. This enabled the delivery of Macma backdoor variants and post-exploitation malware, exfiltrating sensitive data from affected networks. The APT group, known as Evasive Panda, used DNS manipulation to conduct the attacks, targeting vulnerable automatic update workflows.
Based on the meeting notes, the key takeaways are:
1. A China-linked advanced persistent threat (APT) group, known as Evasive Panda and also tracked as StormBamboo and DaggerFly, compromised an Internet service provider (ISP) to exploit software vendor update mechanisms using DNS poisoning.
2. The APT targeted software with insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers to deliver new variants of the Macma backdoor and post-exploitation malware to exfiltrate sensitive data from compromised networks.
3. The attackers abused DNS poisoning to deliver malware via HTTP automatic update mechanisms, rerouting network communications to a server under their control.
4. The APT targeted multiple software vendors with “insecure update workflows” and leveraged DNS poisoning to host modified config files, resulting in legitimate applications downloading upgrade packages backdoored with malicious code.
5. The APT is considered “a highly skilled and aggressive threat actor” that compromises third parties to breach intended targets, and has actively supported payloads for macOS, Windows, and network appliances.
6. Researchers from Volexity worked with the ISP to investigate and stop the malicious activity, and provided various rules and indicators of compromise (IOCs) in a post to help organizations detect if they have been affected by the attacks.
These takeaways illustrate the sophisticated and persistent nature of the attacks carried out by the APT group, highlighting the need for organizations to be vigilant and proactive in securing their networks and software update mechanisms.