ALL YOUR IT. SIMPLIFIED.
Cybersecurity for middle market operations
Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
The threat actor behind WIP26 has been targeting telecommunication providers in the Middle East. WIP26 is characterized by the abuse of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox – for malware delivery, data exfiltration, and C2 purposes.
WIP26 is also differentiated by the use of three unique custom-made malware droppers: a fileless dropper, IMG-scraper, and a binary downloader.
But perhaps the most significant findings are from additional analysis of WIP26’s infrastructure. It was found that all targets were telecommunication providers in some part of the Middle East. It was also found that many of the targets had connections to the same telecommunications provider organizations, with at least one other hosting provider. A correlation exists between the presence of this organization and a large number of WIP26 infections.
This finding indicates that the threat actor is likely targeting telecommunication providers in the Middle East, and that this targeted organization has a large number of victims.
It was also determined that some communication providers have very weak cloud protection measures and may have been exploited by WIP26 for exfiltration purposes. For example, two telecommunication providers analyzed are known to run self-signed certificates on their network host machines. These certificates are used to validate a vendor’s identity.
