• btc = $66 817.00 -70.46 (-0.11 %)

  • eth = $3 078.78 -1.24 (-0.04 %)

  • ton = $6.35 -0.06 (-0.98 %)

  • btc = $66 817.00 -70.46 (-0.11 %)

  • eth = $3 078.78 -1.24 (-0.04 %)

  • ton = $6.35 -0.06 (-0.98 %)

21 Feb, 2023
2 min time to read

According to SentinelOne researchers, WIP26 is utilizing public cloud infrastructure to disseminate malware, keep pilfered data, and serve as a command-and-control center.

An unidentified cyber threat actor has launched a new cyber-espionage campaign targeting telecommunications companies in the Middle East. This campaign follows a trend of similar attacks on telecom organizations in multiple countries over the past few years.

The activity has been dubbed WIP26 by SentinelOne, as it cannot be attributed to a specific cyber-attack group. According to SentinelOne researchers, the campaign uses public cloud infrastructure to distribute malware, store stolen data, and serve as a command-and-control center. This is a common strategy used by threat actors to evade detection and increase the difficulty of identifying their activity on compromised networks.

In its report, the company stated that the WIP26 activity provides a pertinent example of how threat actors are constantly refining their TTPs in an effort to evade detection and overcome defenses. The use of public Cloud infrastructure for malware hosting, data exfiltration, and C2 purposes is aimed at creating an appearance of legitimacy, which allows malicious traffic to blend in with normal traffic and enables attackers to carry out their activities without being noticed.

SentinelOne, a security firm, detected a series of attacks that targeted specific individuals within telecommunications firms in the Middle East. The attacks began with WhatsApp messages containing a Dropbox link to an archive file. While the link was expected to contain information on poverty-related topics, it contained a malware loader instead. Clicking on the link installed two backdoors on the users' devices. The first backdoor, CMD365, used a Microsoft 365 Mail client for its C2, while the second backdoor, CMDEmber, utilized a Google Firebase instance for the same purpose.

According to SentinelOne, the backdoors were utilized by the attacker, WIP26, for various purposes, including reconnaissance, privilege escalation, additional malware deployment, and theft of private browser data, high-value system information, and other data. SentinelOne stated that much of the data collected by both backdoors indicates that the attacker is preparing for a future attack. The security vendor also noted that the initial intrusion vector involved precision targeting, and the targeting of telecom providers in the Middle East suggests that the motive behind the activity is espionage-related.

Over the past few years, telecom companies have been targeted by many threat actors, including WIP26. This has led security experts to emphasize the increased interest of cybercriminals in stealing customer data and hijacking mobile devices. However, most attacks on telecom providers have been motivated by cyberespionage and surveillance.