- Google warns about the kidnapping attacks of the Captive Portal in progress
- They abused the captive portals to redirect people to adobe update sites
- The “updates” deployed different malware and rear doors
Google has issued a warning about a piracy attack sponsored by the Chinese state aimed at real -time users.
The company’s cybersecurity arm, the Google threat intelligence group (GTIG), published a new blog that describes how he saw “evidence of a kidnapping of captive portal that is used to deliver malware disguised as an update of adobe accessories to specific entities.”
Apparently, this campaign is the work of a group known as UNC6384, an actor sponsored by the Chinese state, possibly linked to Silk Typhoon, a group known for cybernetic fans against the government, the critical infrastructure and the organizations of Telco in the West. The campaign, according to Google, directed diplomats in Southeast Asia, as well as other entities in the world.
False security updates
A captive portal is essentially a login page. Usually, it appears in public networks, such as at airports or in coffee shops, just after connecting to the network, but before obtaining public internet access. Sometimes it asks users to record an account, and sometimes see an ad and click on “Connect” is enough to receive access.
Now, Google claims the edge devices committed to Chinese in those destination networks (routors, firewalls, VPN links and the same), and then used the instances to kidnap the portals and redirect visitors to a malicious destination page.
The visitors are then asked to download a “security update” for Adobe, which is, in fact, malware. The initial payload, a MSI package, install stage malware and two years, including canostagon and sogu.sec. The latter is a rear door that connects to the C2 server controlled by the attacker and gives access without decrease to the destination computer.
Google first observed this attack in March this year and sent alerts to the users of Gmail and the work space.
Each time China is accused of participating in cybernetics against its adversaries in the West, denies any participation and repeats its position that the United States is the largest cyber-bully at this time.
