The Fanxiao Spoofing campaign is based on a network of more than 42,000 malicious websites and redirects
Cyjax researchers have published a report on how a financially motivated threat group known as “Fangxiao” carried out a massive spoofing campaign on websites, building a network of around 42,000 domains. The domains mimic very popular brands such as Coca Cola, Emirates, McDonalds and many more as the campaign impersonates entities in the retail, banking, travel, pharmaceutical, transportation, finance and energy sectors. This campaign appears to operate as a traffic-generating scam to earn ad revenue for the sites of the threat group, as well as monetize user data of victims unlucky enough to reach one of their attractions. According to researchers who monitor Fangxiao’s activity, the threat group registers nearly 300 new phishing domains per day. To make matters worse, some sites have redirect queries that take victims to sites that host malware such as the “Triada” Trojan. Users are initially brought to the fake sites by interacting with mobile advertisements or falling victim to WhatsApp phishing attacks with embedded malicious links leading to the group’s phishing landing pages. Fake survey domains are also common, often containing timers that create a sense of urgency so that the victim has less time for doubts. Upon completion of the survey, victims may be asked to download a malicious application to collect their “reward”, registering them as a new referral user of Fangxiao. The Cyjax report contains several reliable pointers to the Tactics, Techniques, and Procedures (TTPs), used by Chinese threat groups. This includes composing their own bait websites/ads in Mandarin as well as using email addresses attributed to Chinese threat actor accounts on known hacking forums. CTIX analysts will monitor the repercussions of this campaign and will continue to report on new and new TTPs used in cybercriminal activity.
threat actor Activity
The suspected Chinese state-sponsored threat group “Billbug” is waging a campaign of cyberespionage across Asia
Since at least March 2022, a suspected Chinese state-sponsored threat actor has been carrying out a cyberespionage campaign targeting government agencies, defense organizations, and a certification authority (CA) in several Asian countries. The threat actor is known as “Billbug” (also known as Thrip, Lotus Blossom, and Spring Dragon), and according to security researchers, has been active for at least a decade. This information was revealed after a report was published by Symantec, which has been tracking Billbug since 2018. This is a highly sophisticated threat actor, known for taking advantage of available tools and utilities already in the victims system such as WinRAR and tracert, as well as spreading custom malware . This tactic helps the threatened actor avoid detection and persist in the target environment for longer. Symantec was able to attribute this campaign to Billbug after identifying the use of two (2) proprietary backdoors that were used in its other campaigns known as Hannotog (“Backdoor.Hannotog”) and Sagerunex (“Backdoor.Sagerunex”). A backdoor is a one-stop-shop that forces the victim’s firewall to “enable all traffic and allow the threat actor to establish persistence on the compromised device, upload encrypted data, run commands, and download files to the device”. Part of Hannotog’s functionality is to drop a Sagerunex backdoor, which establishes a connection to a command and control (C2) server owned by the attackers. Particularly disturbing in this latest campaign is Billbug’s targeting of the CA victim. If a threat actor successfully compromises the CA, they can sign their malware with valid digital certificates, making it difficult for security measures to detect it. CTIX analysts will continue to monitor state-sponsored actors and report their activities to our readers.
The Google Pixel smartphone vulnerability allows any user to bypass the lock screen
Android has patched a critical vulnerability that allows users with physical access to a locked Google Pixel smartphone to bypass the lock screen without providing the device PIN/password or biometric key. The bug was found by security researcher David Schutz who was awarded $70,000 as part of Google’s bug bounty program. The vulnerability, tracked as CVE-2022-20465, can be exploited in an easy five (5) step process which is detailed in Schütz’s writing, and triggers local privilege escalation without the need for additional Execute privileges or user interaction. Schutz states that to exploit the flaw, users must provide an incorrect fingerprint three (3) times in a row, which disables biometric authentication. The attacker then swaps the phone’s physical SIM card with an attacker-controlled SIM card that contains a PIN known to the attacker. The attacker will intentionally enter the wrong PIN three (3) consecutive times, lock the SIM card, and require the device to request the user’s SIM card Personal Unlock Key (PUK) code. The attacker then enters their PIN, and the device is automatically unlocked. This vulnerability has been patched by Google, and all Pixel users should ensure that they are running the latest stable version of the software. CTIX analysts will continue to report interesting vulnerabilities.
Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.National Law Review, Volume XII, Number 320
#Google #Pixel #smartphone #vulnerability #users #bypass #lock #screen