Home Security New Chinese language Cyberespionage Group Focusing on IT Service Suppliers and Telcos

New Chinese language Cyberespionage Group Focusing on IT Service Suppliers and Telcos

by crpt os


Telecommunications and IT service providers in the Middle East and Asia are being targeted by a previously undocumented Chinese-speaking threat group dubbed WIP19.

The espionage-related attacks are characterized by the use of a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artifacts deployed during the infection chain to evade detection.

“Almost all operations performed by the threat actor were completed in a ‘hands-on keyboard’ fashion, during an interactive session with compromised machines,” SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich said in a report this week.

CyberSecurity

“This meant the attacker gave up on a stable [command-and-control] channel in exchange for stealth.”

WIP, short for work-in-progress, is the moniker assigned by SentinelOne to emerging or hitherto unattributed activity clusters, similar to the UNC####, DEV-####, and TAG-## designations given by Mandiant, Microsoft, and Recorded Future.

The cybersecurity firm also noted that select portions of the malicious components employed by WIP19 were authored by a Chinese-speaking malware author dubbed WinEggDrop, who has been active since 2014.

WIP19 is said to share links to another group codenamed Operation Shadow Force owing to overlaps in the use of WinEggDrop-authored malware, stolen certificates, and tactical overlaps.

That said, SentinelOne noted, “it is unclear whether this is a new iteration of operation ‘Shadow Force’ or simply a different actor utilizing similar TTPs.”

Chinese Cyberespionage Group

Intrusions mounted by the adversarial collective rely on a bespoke toolset that includes a combination of a credential dumper, network scanner, browser stealer, keystroke logger and screen recorder (ScreenCap), and an implant known as SQLMaggie.

SQLMaggie was also the subject of an in-depth analysis by German cybersecurity company DCSO CyTec earlier this month, calling out its ability to break into Microsoft SQL servers and leverage the access to run arbitrary commands via SQL queries.

CyberSecurity

An analysis of telemetry data further revealed the presence of SQLMaggie in 285 servers spread across 42 countries, chiefly South Korea, India, Vietnam, China, Taiwan, Russia, Thailand, Germany, Iran, and the U.S.

The fact that the attacks are precision targeted and low in volume, not to mention have singled out the telecom sector, indicates that the primary motive behind the campaign may be to gather intelligence.

The findings are yet another indication of how China-aligned hacking groups are at once sprawling and fluid owing to the reuse of the malware among several threat actors.

“WIP19 is an example of the greater breadth of Chinese espionage activity experienced in critical infrastructure industries,” SentineOne researchers said.

“The existence of reliable quartermasters and common developers enables a landscape of hard-to-identify threat groups that are using similar tooling, making threat clusters difficult to distinguish from the defenders point of view.”





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex