Contents:
The StormCloud Chinese threat group used a compromised Internet Service Provider (ISP) to distribute malware that spoofed software updates.
The attackers exploited a vulnerable HTTP software system that failed to authenticate digital signatures. The DNS spoofing campaign impacted Windows and macOS devices.
The attack explained
Once the hackers breached the Internet Service Provider, they gained access to the customers’ DNS requests.
Using a VPN and DNS over HTTPs are security best practices for preventing DNS leaks. DNS leaks are dangerous because they impact the internet user`s privacy and can expose their DNS queries and browsing patterns to malicious actors.
StormCloud’s DNS hijacking attack enabled the threat actors to access and compromise DNS records. Instead of reaching to the legitimate update server to download the update they needed, the victims were directed to malicious IP addresses.
According to BleepingComputer, the attackers installed MacMa and MGBot malware on the targets’ computers.
MacMa is a macOS backdoor designed to control and exfiltrate files. Additionally, MacMa malware can record audio, run shell commands and use bash scripts.
How to apply updates safely and avoid DNS poisoning attacks
StormCloud’s attack on an ISP to poison DNS queries highlights why using a multi-layered defense strategy is important. Patching is a redundant and time-consuming task and in some cases IT teams are tempted to take shortcuts.
The patch management process should always include a testing phase. An automated patch management solution like Heimdal’s would have covered that. Cybersecurity Community Leader Andrei Hinodache explained that
After getting the 3rd Party application updates from the vendor, the patches are tested for malware and backdoor before they are deployed. If the update was poisoned, or the connection is suspicious, Heimdal’s patching process will detect it.
OS updates are tunneled directly via the secured, built-in, channels between the systems and the OS provider.
Additionally, using a DNS filtering tool could have detected and blocked the malicious communication with the C2 server.
If a user would try to install an update by their own – they shouldn’t be able to, but let’s accept the hypothesis for the example’s sake- and the organization has a DNS Security solution in place, the DNS security engine would detect the malicious traffic patterns and trigger an alarm.
Andrei Hinodache, Cybersecurity Community Leader @Heimdal
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal® Patch & Asset Management Software
- Schedule updates at your convenience;
- See any software assets in inventory;
- Global deployment and LAN P2P;
- And much more than we can fit in here...