APT Group StormBamboo Attacks ISP Customers Via DNS Poisoning

05-August-24

Security researchers have uncovered a sophisticated supply chain attack campaign stemming from the compromise of an unnamed ISP. Volexity determined that StormBamboo was altering DNS query responses for specific domains tied to automatic software update mechanisms. StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers. MACMA is macOS backdoor malware while MGBot works on Windows systems.As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped. During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased.

Read More…