- Google warns of ongoing captive portal hijack attacks
- Captive portals were being abused to redirect people to fake Adobe update sites
- The “updates” deployed different malware and backdoors
Google has issued a warning about a Chinese state-sponsored hacking attack targeting users in real-time.
The company’s cybersecurity arm, the Google Threat Intelligence Group (GTIG), published a new blog outlining how it saw “evidence of a captive portal hijack being used to deliver malware disguised as an Adobe Plugin update to targeted entities.”
Apparently, this campaign is the work of a group known as UNC6384, a Chinese state-sponsored actor, possibly tied to Silk Typhoon, a group known for cyber-espionage campaigns against government, critical infrastructure, and telco organizations in the West. The campaign, according to Google, targeted diplomats in Southeast Asia, as well as other entities around the world.
Fake security updates
A captive portal is essentially a login page. It usually pops up on public networks, such as on airports, or in coffee shops – right after connecting to the network, but before gaining access to the public internet. Sometimes it asks users to register an account, and sometimes viewing an ad and clicking “connect” is enough to be granted access.
Now, Google claims the Chinese compromised edge devices on those target networks (routers, firewalls, VPN gateways, and the such), and then used the instances to hijack the portals and redirect visitors to a malicious landing page.
Visitors are then prompted to download a “security update” for Adobe which is, in fact, malware. The initial payload, an MSI package, installs stage-two malware including CANONSTAGER and SOGU.SEC. The latter is a backdoor that connects to the attacker-controlled C2 server and grants unabated access to the target computer.
Google first observed this attack in March this year and sent out alerts to Gmail and Workspace users.
Whenever China is accused of engaging in cyber-warfare against its adversaries in the West, it denies any involvement and repeats its stance that the US is the biggest cyber-bully right now.
