U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

WIP19, a new Chinese APT targets IT Service Providers and Telcos

Chinese-speaking threat actor, tracked as WIP19, is targeting telecommunications and IT service providers in the Middle East and Asia. SentinelOne researchers uncovered a new threat cluster, tracked as WIP19, which has been targeting telecommunications and IT service providers in the Middle East and Asia. The experts believe the group operated for cyber espionage purposes and is […]

WIP19

Chinese-speaking threat actor, tracked as WIP19, is targeting telecommunications and IT service providers in the Middle East and Asia.

SentinelOne researchers uncovered a new threat cluster, tracked as WIP19, which has been targeting telecommunications and IT service providers in the Middle East and Asia.

The experts believe the group operated for cyber espionage purposes and is a Chinese-speaking threat group.

The researchers pointed out that the cluster has some overlap with Operation Shadow Force, but uses new malware and different techniques.

The activity of the group is characterized by the usage of a legitimate, stolen digital certificate issued by a company called DEEPSoft, that was used to sign malicious code in an attempt to avoid detection.

“Almost all operations performed by the threat actor were completed in a “hands-on keyboard” fashion, during an interactive session with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for stealth.” reads the report published by SentinelOne.

“Our analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014.”

The researchers noticed that portions of the malicious components used by WIP19 were developed by a Chinese-speaking group tracked as WinEggDrop, who has been active since 2014.

WIP19 also seems to be linked to the Operation Shadow Force group due to similarities in the use of malicious artifact developed by WinEggDrop and tactical overlaps.

“As the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of operation “Shadow Force” or simply a different actor utilizing similar TTPs.” continues the report. “The activity we observed, however, represents a more mature actor, utilizing new malware and techniques.”

The researchers linked an implant dubbed “SQLMaggie”, recently described by DCSO CyTec, to this activity.

WIP19

The threat actors employed multiple tools in their attacks, including ìa credential dumper, network scanner, browser stealer, keystroke logger and screen recorder (ScreenCap).

SQLMaggie is used to compromise Microsoft SQL servers and leverage the access to run arbitrary commands via SQL queries.

Experts reported instances of the SQLMaggie implant in 285 servers spread across 42 countries, most of them in South Korea, India, Vietnam, China.

The experts have no doubts about the attackers’ motivation, another China-linked threat actor is gathering intelligence with this operation.

“WIP19 is an example of the greater breadth of Chinese espionage activity experienced in critical infrastructure industries,” SentineOne concludes.

“The existence of reliable quartermasters and common developers enables a landscape of hard-to-identify threat groups that are using similar tooling, making threat clusters difficult to distinguish from the defenders point of view.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, China)

[adrotate banner=”5″]

[adrotate banner=”13″]