Can attest, having searched through literally thousands of pages of documentation in an attempt to attribute the payment processing switch vendor when analysing the ATM jackpotting malware ‘fast cash for Linux’[1]. The best I could do was determine the currency used for the fraudulent transactions, which may imply the country of the target financial institution.
Would be curious if anyone else has further insights.
That's just one class-action judgment from being $0.00.
I don't think it will happen, but we're not talking about a "just restore from backup" situation. When you look at the fact that, statistically, at least one person likely died (or will die) from this due to the problems hospitals had, and that some customers are still dealing with the fallout... I think they're significantly financially compromised after all of the dust settles.
> Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.
10 million installs on Android, according to AndroidRank[1]. What we don't know (yet) is what % of those installs had the FB competitor traffic MITM'd.
> This wasn’t simply Facebook hijacking random people’s traffic because they accepted the ToS or used the Facebook app
Do you have further insights or references on what was the "trigger condition"? This is a new case, separate to the previous litigation related to the VPN app.
I think what is missing is a timeline and clarity about the actual steps users had to take.
1) Onavo was a (free?) VPN app acquired by FB in 2014. Facebook used it to collect “market research data.” People chose to download this, but thought it was a security product.
2) At some point (it looks like 2016?) they launched an iOS app called Research, using the same tech, which required users to install a certificate meant for internal Facebook employees. They paid these users to monitor their traffic.
Are you saying that the MITM was happening for users of (1) or (2) or both?
> from what I can tell FB paid SC users to participate in “market research” and install the proxy.
The app was available on both the Google Play and Apple App stores for anyone to download.
> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.
It could be that you are confused with a previous case. From the blog post:
> The wiretapping claim is new and perhaps not to be confused with the prior controversy and litigation: In 2023, two subsidiaries of Facebook was ordered to pay a total of $20M by the Australian Federal Court for "engaging in conduct liable to mislead in breach of the Australian Consumer Law", according to the ACCC ... Facebook had shutdown Onavo in 2019 after an investigation revealed they had been paying teenagers to use the app to track them. Also that year, Apple went as far as to revoke Facebook's developer program certificates, sending a clear message.
> If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API
If by "local" on your own network/machine with your own traffic then obviously no.
Recommend taking a read of CrowdStrike's write up on this [1].
The threat actor maintains a presence on the roaming exchange through compromising "at least 13 telecommunication companies".
> If it's the former, then it seems very un-stealthy
In this article there is one example where the outbound connectivity to the Internet was via a "SGSN emulator in a loop, attempting to connect to a set of nine pairs of International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network (MSISDN) numbers."
In this example, the transit traffic before egress to the Internet would appear to be legitimate subscriber traffic - user payload encapsulated in a PDP context / GTP tunnel to another telco's GGSN / packet gateway.
> Which, maybe they don't care, but it seems like they're risking blacklisting.
By compromising so many telcos, there are many points of redundancy for persistence on the roaming exchange. This threat actor has remained on telco networks for many years undetected - their techniques are apparently are quite effective.
holy mackerel, I had no idea their operation was so large. that's terrifying; I hope their network has been rolled up following Crowdstrike's article. in any event, it sounds like they don't have any shortage of outbound connectivity options.
Don't think of a specific named actor as a tight knit group of hackers that own a project start to finish like you'd see in the movies. Really what we are identifying is a specific team within a multi-thousand person organization (or cooperating organizations). Just like any other big organization projects get handed off between teams based on their specializations.
LightBasin is a group that is highly experienced in telecommunications that is able to identify specific hardware from vendors and probably has the same gear sitting in a lab to test on. They are focused on COMINT collection and exploitation. There has been no evidence of them doing initial access work (establishing a foothold within specific networks), so they are likely being given access and then using their domain knowledge to pivot between different telcom providers on shared networks.
Mustang Panda on the other hand focuses on initial access to organizations and then stealing credentials, intellectual property, and most importantly internal documentation. You can start to see how these two groups would work hand-in-hand.
Based on victimology I believe the two to be within an organizational structure where information passes from one to the other. It is impossible to definitively state one way or the other without having information from within the Chinese government.
If you want further info, my email is in my profile.
Would be curious if anyone else has further insights.
[1] https://haxrob.net/fastcash-for-linux/