- Google warns against attacks on the current captive portal
- Captive portals were mistreated to redirect people to Adobe update sites
- The “updates” have deployed different malware and waste
Google has issued a warning concerning a piracy attack sponsored by the Chinese state targeting users in real time.
The company’s cybersecurity branch, the Google Threat Intelligence Group (GTIG), has published a new blog describing how it saw “the evidence of captivity piracy being used to deliver malware disguised in the form of an update of the Adobe plugin with targeted entities”.
Apparently, this campaign is the work of a group known as UNC6384, a Chinese actor sponsored by the State, perhaps linked to the Silk Typhon, a group known for its cyber-spying campaigns against the government, critical infrastructure and telecommunications organizations in the West. The campaign, according to Google, has targeted diplomats in Southeast Asia, as well as other entities around the world.
False security updates
A captive portal is essentially a connection page. It generally appears on public networks, as on airports or in cafes – just after connecting to the network, but before having access to public Internet. Sometimes he asks users to record an account, and sometimes consult an ad and click on “connection” is sufficient to obtain access.
Now Google claims that Chinese compromised compromise apparatus on these target networks (routers, firewalls, VPN bridges and such), then used the instances to divert portals and redirect visitors to a malicious destination page.
Visitors are then invited to download a “security update” for Adobe which is, in fact, malware. The initial payload, an MSI package, installs malware, including canonesta and sogo.sec. The latter is a stolen door that connects to the C2 server controlled by the attacker and grants tireless access to the target computer.
Google observed this attack for the first time in March this year and sent alerts to Gmail users and the workspace.
Whenever China is accused of engaging in the cyber war against its opponents in the West, he denies any involvement and repeats his position according to which the United States is the greatest cyber-vular right now.
