operation poisoned news
operation poisoned news

News highlights:

  1. Hackers launch Operation Poisoned News to install spyware on victim’s mobile phones
  2. Targeted people are iOS users in Hong Kong, hackers being dubbed as ‘TwoSail Junk’
  3. The operation is a watering hole cyberattack that infects popular local news websites
  4. Fraud links related to news like COVID-19, sex or clickbait are circulated on forums
  5. The attack leads to installing LightSpy malware that can collect information or even lead to total takeover of victim’s mobile phones

Hackers are known to exploit existing vulnerabilities but that doesn’t stop them from being creative at their jobs.

What is the most common and effective vulnerability right now? Definitely, the Coronavirus, and the hackers are actively exploiting people’s vulnerable nature towards the pandemic.

In this time of social distancing, our only source of information is news.

It is not surprising that some hackers decided to take advantage of it by launching a watering hole cyberattack on the Hong Kong netizens.

Trend Micro and Kaspersky have analysed the campaign and dubbed it as ‘Operation Poisoned News’.

What is Operation Poisoned News?

As we told you, it is a watering hole cyberattack which means that the hackers target a specific group of users by observing the kinds of websites they visit and infecting one of those websites.

In Hong Kong, hackers have targeted users who visit certain popular forums and local websites for news (in this case, news related to COVID-19, sex or random clickbait content).

This is how Operation Poisoned News works:

  • The hacker infects a particular website that is popular among its target victim group
  • The hacker posts the malicious link to the website online or personally to the victims
  • The victims, thinking the link is genuine, click the link and fall bait to the trick
  • The victim is taken to the hacker’s website which has three iframes
  • The only visible iframe directs the victim to the genuine news website
  • A hidden iframe executes the malicious script
  • Using an exploitable vulnerability in the iOS, the hacker successfully installs spyware on the victim’s device
List of news topics posted by the campaign
List of news topics posted by the campaign (Source: TrendMicro)
operation poisoned news forums
Forum post with the link to malicious site (source: TrendMicro)

How dangerous is it?

As the name suggests, the operation is highly poisonous.

After exploiting the iOS vulnerability, the hackers install the LightSpy malware on the victim’s phone, which can not only collect and send massive amounts of personal information to the hacker but can also lead to complete takeover of the victim’s phone.

The Safari vulnerability that the malware is exploiting is a silently fixed bug that ‘when rendered on the browser leads to the exploitation of a use after free memory flaw (tracked as CVE-2019-8605)’.

The UAF memory flaw can let the hacker execute random code with escalated root privileges.

LightSpy’s infection chain
LightSpy’s infection chain (Source: trendmicro)

The vulnerable iOS versions are iOS 12.1 and 12.2. The LightSpy malware is backdoor that the hackers use to execute commands and secretly exchange data with the victim.

Data exfiltration of the victim includes a lot of details like:

  • WiFi network details and history
  • Contacts
  • GPS Location
  • Hardware details
  • iOS keychain
  • Call logs
  • Safari and Chrome browser history
  • SMS messages
  • Local network IP addresses

The vulnerability has been fixed in the following OS versions:

  • iOS 12.3
  • macOS Mojave 10.14.5
  • tvOS 12.3
  • watchOS 5.2.1

Who is behind Operation Poisoned News?

Kaspersky has dubbed the threat group as TwoSail Junk.

It is probable that this APT group is linked to a Chinese-speaking APT group called Spring Dragon or Lotus Blossom or Billbug (Thrip). dmsSpy which is an Android version of this same malware was in the air last year and was spreading through Telegram channels by impersonating as useful apps like Hong Kong protest calendar etc.

The link between dmsSpy and LightSpy is that both of their command and control servers use the same domain hkrevolution[.]club.

The only way you can protect yourself against such attacks is to not trust links sent by others, even if they appear on trusted forums and link to trusted websites.

News, sexual content and clickbait are one of the major sources of generating traffic and luring innocent users into a heavy malware trap.

It is best that you rely on Googling a news article rather than clicking a suspicious looking link.

You should also refrain from using unauthenticated sources to download apps.

What do you think about this news? Let us know your thoughts and comments in the section below.

Stay tuned, stay safe.


Leave a reply

Your email address will not be published. Required fields are marked *


©2022 Tech Brewery. All Rights Reserved.

Log in with your credentials


Forgot your details?

Create Account