A Chinese hacking group known as StormBamboo has breached an unidentified internet service provider (ISP) to distribute malware through automatic software updates. Also referred to as Evasive Panda, Daggerfly, and StormCloud, this group has been active since at least 2012, targeting entities in mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.
On Friday, Volexity threat researchers disclosed that the group exploited insecure HTTP software update mechanisms, which lacked digital signature validation, to deliver malware payloads to victims’ Windows and macOS devices. When these applications attempted to retrieve updates, they instead installed malware, such as MACMA and POCOSTICK (also known as MGBot), due to the attackers intercepting and modifying the victims’ DNS requests with malicious IP addresses. This enabled the malware delivery from StormBamboo’s command-and-control servers without user interaction.
For example, they exploited 5KPlayer’s requests to update the YouTube-dl dependency to push a compromised installer hosted on their C2 servers. After breaching the targets’ systems, the attackers installed a malicious Google Chrome extension, ReloadText, which allowed them to harvest and steal browser cookies and email data.
Volexity noted that StormBamboo targeted multiple software vendors with insecure update workflows, employing varying degrees of complexity in their malware deployment steps. Volexity notified and collaborated with the ISP, which investigated key traffic-routing devices on their network. Once the ISP rebooted and took network components offline, the DNS poisoning ceased immediately.
In April 2023, ESET threat researchers observed the group deploying the Pocostick (MGBot) Windows backdoor by exploiting the automatic update mechanism for the Tencent QQ messaging application in attacks on international NGOs. Nearly a year later, in July 2024, Symantec’s threat hunting team identified the Chinese hackers targeting an American NGO in China and several organisations in Taiwan with new Macma macOS backdoor and Nightdoor Windows malware versions. Despite the evident skill of the attackers, researchers suspected a supply chain or adversary-in-the-middle (AITM) attack but could not confirm the exact method.
At Norm, we have a dedicated team of Security Analysts with expertise and certifications across various fields of cyber security. Our team works around the clock to ensure your security, proactively monitoring threats and implementing robust defences to keep your systems safe from such cyber threats.
References:
Hackers breach ISP to poison software updates with malware (bleepingcomputer.com)
StormBamboo APT Group Breaches ISP to Deliver Malware (vulnera.com)
China-Linked Hackers Compromise ISP to Deploy Malicious Software Updates (thehackernews.com)
Cyber security researchers at Elastic Security Labs have uncovered a previously undocumented Windows backdoor named BITSLOTH, leveraging the Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism. Discovered on June 25, 2024, during a cyber attack on a South American Foreign Ministry, this malware is associated with the activity cluster REF8747.
BITSLOTH, which has been in development since December 2021, features 35 handler functions including keylogging and screen capture capabilities. The malware also boasts numerous discovery, enumeration, and command-line execution features, suggesting its primary use is for data gathering. The authors of BITSLOTH appear to be Chinese speakers, as indicated by the source code analysis that revealed logging functions and strings in Chinese. Additionally, the malware employs an open-source tool called RingQ for encryption, which is subsequently decrypted and executed in memory to evade detection by security software.
The malware’s C2 communication is managed via HTTP or HTTPS, using STOWAWAY to proxy encrypted traffic and iox for port forwarding, techniques previously seen in operations by the Chinese cyber espionage group Bronze Starlight, known for Cheerscrypt ransomware attacks. The researchers identified that BITSLOTH is delivered through DLL side-loading, using a legitimate executable related to FL Studio (“fl.exe”) to load the malicious DLL file (“flengine.dll”).
A distinctive feature of the latest BITSLOTH version is its new scheduling component, allowing the malware to operate at specific times within a victim’s environment, like features seen in other modern malware families like EAGERBEE. This component enhances the malware’s ability to evade detection and persist within targeted systems.
The malware is highly versatile, capable of running and executing commands, uploading and downloading files, performing enumeration and discovery, and harvesting sensitive data through keylogging and screen capture. It can manipulate its persistence, terminate arbitrary processes, log users off, restart or shutdown the system, and even update or delete itself from the host machine.
One notable aspect of BITSLOTH is its use of BITS for C2, an appealing method for adversaries as many organisations struggle to monitor and detect unusual BITS network traffic. This built-in Windows feature is typically used for background data transfers, making it a stealthy choice for malicious activities.
However, thanks to the work of Elastic labs, we have some potential indicators to look out for:
Although there are many conventional ways to track this down, it can feel like a lot of different angles to approach, and it is likely difficult to tackle for any business without dedicated security departments. Luckily, you could leave it to the professionals of the industry, here are at Norm our Managed Threat Detection and Response package service provides near real-time security monitoring for your network, services and devices. Using telemetry feeds, threat intelligence feeds, use cases and play books, the norm. Security Operations Centre (SOC) identifies and isolates threats in near real-time, giving you peace of mind 24 hours a day, every day.
References:
New Windows Backdoor BITSLOTH Exploits BITS for Stealthy Communication (thehackernews.com)
Background Intelligent Transfer Service – Win32 apps | Microsoft Learn
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor — Elastic Security Labs
A Critical Vulnerability Puts Organisations at Risk
A severe security vulnerability has been discovered and exploited in Acronis Cyber Infrastructure (ACI), a widely used data protection solution. The flaw, categorised as CVE-2023-45249 and assigned a critical CVSS score of 9.8, allows remote code execution due to the exploitation of default passwords. This vulnerability poses a significant threat to organisations using ACI, as it could grant attackers complete control over affected systems, leading to data theft, ransomware deployment, or operational disruption.
The Threat Landscape
The exploitation of this vulnerability in the wild highlights the urgent need for organisations to prioritise security. Attackers are actively targeting systems with this flaw, and successful breaches can have severe consequences, including financial loss and reputational damage.
Acronis’ Response
Acronis has acknowledged the vulnerability and released patches to address the issue. The company has urged users to update their ACI installations to the latest versions immediately. While Acronis claims to have informed affected customers and provided necessary guidance, the ongoing exploitation of the vulnerability underscores the urgency of the situation.
Best Practices for Mitigation
To protect against this threat, organisations should implement the following measures:
Conclusion
The exploitation of the Acronis Cyber Infrastructure vulnerability serves as a stark reminder of the evolving threat landscape. Organisations must remain vigilant and adopt a proactive approach to security to protect their critical assets. By utilising Norm’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.
References:
Critical Flaw in Acronis Cyber Infrastructure Exploited in the Wild (thehackernews.com)
NVD – CVE-2023-45249 (nist.gov)
CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
