Heimdal
article featured image

Contents:

The StormCloud Chinese threat group used a compromised Internet Service Provider (ISP) to distribute malware that spoofed software updates.

The attackers exploited a vulnerable HTTP software system that failed to authenticate digital signatures. The DNS spoofing campaign impacted Windows and macOS devices.

The attack explained

Once the hackers breached the Internet Service Provider, they gained access to the customers’ DNS requests.

Using a VPN and DNS over HTTPs are security best practices for preventing DNS leaks. DNS leaks are dangerous because they impact the internet user`s privacy and can expose their DNS queries and browsing patterns to malicious actors.

StormCloud’s DNS hijacking attack enabled the threat actors to access and compromise DNS records. Instead of reaching to the legitimate update server to download the update they needed, the victims were directed to malicious IP addresses.

According to BleepingComputer, the attackers installed MacMa and MGBot malware on the targets’ computers.

MacMa is a macOS backdoor designed to control and exfiltrate files. Additionally, MacMa malware can record audio, run shell commands and use bash scripts.

How to apply updates safely and avoid DNS poisoning attacks

StormCloud’s attack on an ISP to poison DNS queries highlights why using a multi-layered defense strategy is important. Patching is a redundant and time-consuming task and in some cases IT teams are tempted to take shortcuts.

The patch management process should always include a testing phase. An automated patch management solution like Heimdal’s would have covered that. Cybersecurity Community Leader Andrei Hinodache explained that

After getting the 3rd Party application updates from the vendor, the patches are tested for malware and backdoor before they are deployed. If the update was poisoned, or the connection is suspicious, Heimdal’s patching process will detect it.

OS updates are tunneled directly via the secured, built-in, channels between the systems and the OS provider.

Additionally, using a DNS filtering tool could have detected and blocked the malicious communication with the C2 server.

If a user would try to install an update by their own – they shouldn’t be able to, but let’s accept the hypothesis for the example’s sake- and the organization has a DNS Security solution in place, the DNS security engine would detect the malicious traffic patterns and trigger an alarm.

Andrei Hinodache, Cybersecurity Community Leader @Heimdal

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Heimdal Official Logo
Automate your patch management routine.

Heimdal® Patch & Asset Management Software

Remotely and automatically install Windows, Linux and 3rd party application updates and manage your software inventory.
  • Schedule updates at your convenience;
  • See any software assets in inventory;
  • Global deployment and LAN P2P;
  • And much more than we can fit in here...
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE