Google warns of Chinese state actor hack in real-time following alerts

News
By published

UNC6384 is targeting diplomats across the world

China
(Image credit: Shutterstock)
  • Google warns of ongoing captive portal hijack attacks
  • Captive portals were being abused to redirect people to fake Adobe update sites
  • The "updates" deployed different malware and backdoors

Google has issued a warning about a Chinese state-sponsored hacking attack targeting users in real-time.

The company’s cybersecurity arm, the Google Threat Intelligence Group (GTIG), published a new blog outlining how it saw “evidence of a captive portal hijack being used to deliver malware disguised as an Adobe Plugin update to targeted entities.”

Apparently, this campaign is the work of a group known as UNC6384, a Chinese state-sponsored actor, possibly tied to Silk Typhoon, a group known for cyber-espionage campaigns against government, critical infrastructure, and telco organizations in the West. The campaign, according to Google, targeted diplomats in Southeast Asia, as well as other entities around the world.

Fake security updates

A captive portal is essentially a login page. It usually pops up on public networks, such as on airports, or in coffee shops - right after connecting to the network, but before gaining access to the public internet. Sometimes it asks users to register an account, and sometimes viewing an ad and clicking “connect” is enough to be granted access.

Now, Google claims the Chinese compromised edge devices on those target networks (routers, firewalls, VPN gateways, and the such), and then used the instances to hijack the portals and redirect visitors to a malicious landing page.

Visitors are then prompted to download a “security update” for Adobe which is, in fact, malware. The initial payload, an MSI package, installs stage-two malware including CANONSTAGER and SOGU.SEC. The latter is a backdoor that connects to the attacker-controlled C2 server and grants unabated access to the target computer.

Google first observed this attack in March this year and sent out alerts to Gmail and Workspace users.

Whenever China is accused of engaging in cyber-warfare against its adversaries in the West, it denies any involvement and repeats its stance that the US is the biggest cyber-bully right now.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.