It's been over 2 years since Google said publicly (https://blog.google/products/android/introducing-privacy-sandbox-android/) they were moving forward with plans to deprecate the Android Advertising ID. This is the #1 thing that Google could do to improve privacy outcomes and reduce the ability for data brokers and random orgs / people from being able to track Android users. Changes here would gut the current data broker ecosystem. Google just needs to do what they said they would do, and the world will be far more safe and private.*

*There are still plenty of problems with the advertising bid stream Google operates but fewer public promises for reforms there.

Remember that polyfill[.]io supply chain attack from a couple months back that SanSec first reported on? A company called "FUNNULL" out of China were behind it. But wait, our team at Silent Push knew them?? 👀

Today, our team at Silent Push released a massive report about China threat actors associated with FUNNULL. We're dubbing the network "Triad Nexus" and there are a ton of details that are important for folks to appreciate.

Read the research @ https://www.silentpush.com/blog/triad-nexus-funnull/

@lorenzofb at @Techcrunch wrote up the research this morning "Researchers link Polyfill supply chain attack to huge network of copycat gambling sites" @ https://techcrunch.com/2024/10/22/researchers-link-polyfill-supply-chain-attack-to-huge-network-of-copycat-gambling-sites/

To give a little context to the research:
Our team at had come across FUNNULL 2+ years ago because they were one of the hosts that a network of pig butchering job / investment scams were using. We wrote up that research publicly @ https://silentpush.com/blog/fake-trading-apps/ but didn't mention FUNULL publicly at the time....

FUNNULL was not only hosting pig butchering scams, but also were directly behind the big polyfill supply chain attack, so we started work on the report released today. We were able to map out the FUNNULL CDN clients and realized ~all were borderline or clearly criminal schemes.😲

On FUNNULL today, there's a retail phishing campaign which targets:
Aldo, Asda, Bonanza, Cartier, Chanel, Coach, eBay, Etsy, Gilt Groupe, Inditex, Lotte Mart, LVMH, Macy’s, Michael Kors, Neiman Marcus, OnBuy[.]com, Rakuten, Saks Fifth Avenue, Tiffany & Co., and Valentino.

Beyond the retail phishing campaign and pig butchering scams hosted on FUNNULL, we quickly realized that there were tens of thousands of online gambling websites in Mandarin hosted on this CDN. But surprisingly, most of the websites looked very similar...

Once we found the cluster of online gambling websites, we started to analyze the total number of brands seen here -- and we found a dozen unique brands, mostly orgs out of China. But why did these brands have these similar looking websites cloned across thousands of domains each?

During the course of the reporting process, we came to realize that the brand bWIN, among the brands with sites, was claiming they had *nothing* to do with the sites featuring their brand on the FUNNULL CDN. So why would someone create thousands of sites with their brand? WTF??

Our team continued to investigate the online gambling websites and we were able to find a template hosted on a Github repo that was referenced in FUNNULL source code which was about "跑分" -- basically Chinese slang for money moving/ money laundering.

We continued to investigate the money moving network associated with FUNNULL and came to realize the Telegram accounts promoted on these pages were signing up clients for these schemes. A whole network of telegram accounts is being used for this which look like:

We also realized that among the gambling brands being used on the FUNNULL CDN, it included the brand "Suncity Group" -- this brand may be ~unknown in the Western world, but they are behind one of the largest money laundering rings in the world. Their FUNNULL sites look like this:

Suncity Group may similarly be having their trademarks abused, just like BWIN, but Suncity's CEO is facing 18 years in jail in China, along w/ dozens of SCG executives, and they were alleged to have laundered $40 billion through casinos and gambling junkets.

Suncity Group was also featured in a U.N. report about money laundering and organized crime earlier this year @ https://unodc.org/roseap/uploads/documents/Publications/2024/Casino_Underground_Banking_Report_2024.pdf // SCG is credibly alleged of laundering millions of dollars for Lazarus Group -- the North Korean hackers.

So what we've found at this point is a Chinese network hosting tens of thousands of online gambling websites, which are clones of each other, using ~12 different gambling brands on the sites. One brand has publicly claimed no affiliation to it and their brand is being abused...

On many of the FUNNULL gambling sites in Mandarin, there are "Tether deposit bonuses" and what is basically a Tether lottery.

And to make matters worse, most of the websites -- from the retail phishing websites and pig butchering scams, to these murky online gambling websites -- they are renting IP space from Microsoft and Amazon. And Microsoft has been renting to them since at least 2021!

Our team believes that once this shakes out, FUNNULL or their largest client is likely operating a fake online gambling ring abusing the trademarks of a dozen major brands for the purpose of money laundering. We hope none of the casino companies are directly involved, but TBD.

It seems clear that both Amazon and Microsoft and other vendors who have been selling IP space to the FUNNULL CDN haven't done proper due diligence on the content hosted on these websites. We found ~nothing that was legitimate -- from pig butchering investment and job scams, to hundreds of retail phishing websites, and tens of thousands of online gambling websites with murky purposes, It is all borderline or clearly illegal content.

Our investigation into the FUNNULL CDN is massive and I couldn't include all the details from our investigation in this thread. Take a look at the research @ https://silentpush.com/blog/triad-nexus-funnull/ and don't hesitate to ping if you've ever seen something similar or have any details to share!🌩️⚖️

Fin7 aka Sangria Tempest is back on their bullshit w/ scaled up infrastructure attacking a wide range of Western targets. We’ve been working on this massive report for months and now can publicly explain that Fin7 has over 4,000 domains and IPs they are using for these attacks.🧵

Read the Krebs on Security post “The Stark Truth Behind the Resurgence of Russia’s Fin7” @ https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/

Read our full piece @ https://www.silentpush.com/blog/fin7/
Fin7 has been operating for over a decade, with DOJ noting there were 70+ people (https://www.justice.gov/usao-wdwa/pr/high-level-organizer-notorious-hacking-group-fin7-sentenced-ten-years-prison-scheme) within this financial crime group, “...organized into business units and teams. Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems.” Over the last few years there was a huge push by the DOJ/FBI to take down their network, which resulted in 3 indictments and a bold statement by the DOJ in 2023 that “Fin7 as an entity is no more.”

But just weeks after the DOJ made their bold / ridiculous claim, Microsoft Threat Intelligence was already publicly saying “Financially motivated cybercriminal group Sangria Tempest (ELBRUS, FIN7) has come out of a long period of inactivity.” https://x.com/MsftSecIntel/status/1659347799442432002

For most of 2023, Fin7 was operating quieter than normal and there were few public reports about their attacks. But starting in 2024 that all changed, and there have now been reports from several respected cybersecurity companies about niche attacks they have seen through their own client visibility.

But at Silent Push, we don’t rely on client data for visibility - it’s our own data from our own scanning methods. And we scan the internet billions of times per day, at a scale that makes it possible for us to track all types of threats. We ended up getting a lead from a source which helped us pivot into more… and more… and more of the new Fin7 infrastructure.

For the past few months we’ve been sitting on thousands of their domains – watching the content change – testing and understanding their orchestration methods — and collaborating with clients and peers in the industry to ensure we knew what was going on and their targets were being warned.

During this process, we picked up phishing and malware delivery infrastructure targeting numerous major brands. Some of those include: Louvre Museum, Meta, Reuters (and WestLaw), Microsoft 365, Wall Street Journal, Midjourney, CNN, Quickbooks, Alliant, Grammarly, Airtable, Webex, Lexis Nexis, Bloomberg, Quicken, Cisco (Webex), Zoom, Investing[.]com, SAP Concur, Google, Android Developer, Asana, Workable, SAP (Ariba), Microsoft (Sharepoint), RedFin, Manulife Insurance, Regions Bank Onepass, American Express, Twitter, Costco, DropBox, Netflix, Paycor, Harvard, Affinity Energy, RuPay, Goto[.]com, Bitwarden, and Trezor.

Software being targeted includes 7-zip, PuTTY, ProtectedPDFViewer, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js

We also discovered a new cybersecurity shell company cybercloudsec[.]com – which aligns to past Fin7 TTPs (https://www.justice.gov/opa/press-release/file/1084361/dl?inline). Fin7 previously created a fake computer security company called “Combi Security” which was used to recruit new members and further their attacks.

Some of the new Fin7 infrastructure will redirect some visitors to malicious phishing pages and other visitors to boring shell websites. We saw this behavior with the domain escueladeletrados[.]com which for some visitors looked like a random commercial website and other visitors were redirected to a phishing page targeting Alliant Credit Union.

We picked up Facebook Business Manager phishing pages with slick phishing kits integrated into them.

We even picked up a custom Louvre Museum phishing page that looks identical to the real thing, and is potentially targeting Paris, France visitors to the Olympics right now.

Fin7 is targeting the users of popular website host Wpengine with multiple domains setup for phishing.

We’ve also recently seen a new crypto phishing widget that Fin7 was testing on a new site, which targeted Coinbase, Metamask, Rainbow Crypto Wallet, Ronin Wallet, OKX Wallet, Trust Wallet, Exodus, Phantom, and WalletConnect. We expect to see increased crypto targeting from Fin7 in the near future.

Fin7 has also been targeting CNN + WSJ + Reuters — three major news organizations each have malware named after them which is being served to users who find their way to one of the Fin7 pages that pushes a fake browser extension. We’ve seen the WSJ + Reuters phishing pages and they look like exact copies of the real news websites. We haven’t seen a live CNN malware delivery page yet but believe they could exist or will sometime in the near future.

Fin7 also has malware delivery infrastructure that spoofs Microsoft Sharepoint.

I could go on and on about what Fin7 is doing and why everyone in the cybersecurity community needs to get them back on their radar, but I’d encourage folks to review the Krebs piece @ https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/ and our full research @ https://www.silentpush.com/blog/fin7/

Don’t hesitate to reach out with any questions or new leads for tracking Fin7 – thanks for everyone’s work to slow down these folks new operations!