The Chinese hacker group StormBamboo, also known as StormCloud or Evasive Panda, has successfully compromised an Internet Service Provider (ISP) and various MacOS and Windows devices on those networks.

In mid-2023, Volexity discovered multiple malware infections linked to StormBamboo, caused by a DNS poisoning attack at the ISP level.

The attackers altered DNS responses for software update domains to deploy malware, including MACMA and POCOSTICK (MGBot).

StormBamboo targeted various software vendors, using complex methods to deliver malware, including compromising the update process of 5KPlayer.

This incident highlights the severe risks associated with non-encrypted network communications, especially within key infrastructure like ISPs.

The incident confirmed previous suppositions about the infection vector for POCOSTICK malware, which involved intercepting and poisoning DNS requests.

StormBamboo's attack bypassed the need for end-user error by compromising the ISP directly through DNS poisoning, rather than relying on typical user mistakes.

The malware included MACMA for MacOS devices and MGBot/POCOSTICK for Windows, along with a malicious Google Chrome extension named RELOADEXT.

The RELOADEXT extension modifies a 'Secure Preferences' file, allowing browser cookies and secured information to be sent to the attacker, thus compromising user security.

The breach demonstrates the potential dangers of automated processes, particularly when they are unsecured, allowing attackers to hijack infrastructure to deliver malicious payloads.

While encryption does not guarantee security, it significantly reduces vulnerabilities compared to unencrypted communications.

The MACMA backdoor, detailed by Google in 2021, has been used since at least 2019 in watering hole attacks targeting iOS and macOS devices.