A recent cyberattack has compromised an unnamed internet service provider (ISP), allowing China-linked threat actor Evasive Panda to push malicious software updates to target companies, according to Arstechnica. The attack has stolen sensitive information from customers, including passwords and files.
Evasive Panda, also known as Bronze Highland, Daggerfly, and StormBamboo, has been active since at least 2012, as reported by The Hacker News. They’ve orchestrated watering hole and supply chain attacks targeting Tibetan users and an international NGO in Mainland China.
The hackers exploited the ISP’s DNS to redirect user traffic to malicious websites. PCMag points out that they delivered malware like MgBot and MACMA, which can remotely take screenshots, capture keystrokes, and steal data.
Volexity, a cybersecurity firm, discovered the infection while investigating a hack at an unnamed organization. “We traced it back to the ISP level, where we found a DNS poisoning attack,” said Steven Adair, Founder and President of Volexity.
The attack chain involves manipulating DNS query responses for domains tied to automatic software update mechanisms. The hackers targeted software that uses insecure HTTP update mechanisms or lacks adequate integrity checks. This allowed them to intercept DNS requests and poison them with malicious IP addresses.
On macOS devices, the hackers also deployed a malicious Google Chrome extension. It modified the Secure Preferences file to exfiltrate browser cookies to a Google Drive account controlled by the adversary.
Volexity worked with the ISP to remediate the attack. The DNS poisoning immediately stopped once the ISP rebooted and took various network components offline.
This incident highlights the growing sophistication of Evasive Panda. It underscores the importance of using secure HTTPS protocols for software updates and enforcing integrity checks on installers. As threat actors continue to evolve, improved cybersecurity measures will be crucial to protect against similar attacks in the future.
Image credit: Wikimedia