Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Israel. Show all posts

3 Billion Attacks and Counting: The IDF’s Cyber Resilience

3 Billion Attacks and Counting: The IDF’s Cyber Resilience

The Battlefield: Cloud Computing

Cloud computing has become an integral part of modern military operations. The IDF relies heavily on cloud-based systems from troop management to logistics, communication, and intelligence gathering. These systems allow for flexibility, scalability, and efficient resource allocation. 

However, they also make attractive targets for cyber adversaries seeking to disrupt operations, steal sensitive information, or compromise critical infrastructure.

The Israel Defense Forces' cloud computing network has been subjected to almost three billion cyber attacks since the conflict between Israel and Hamas began on October 7, according to the officer in charge of the military's computer section. However, all of the attacks were detected and did not do any damage.

Col. Racheli Dembinsky, chief of the IDF's Center of Computing and Information Systems (Mamram), made the discovery on Wednesday during the "IT for IDF" conference in Rishon Lezion.

According to Dembinsky, the attacks targeted operational cloud computing, which is used by numerous systems that serve troops on the ground during conflict to communicate information and forces' whereabouts.

The Scale of the Threat

Three billion attacks may sound staggering, and indeed it is. These attacks targeted operational cloud computing resources used by troops on the ground during combat. Imagine the strain on the network as thousands of soldiers accessed critical data simultaneously while under fire. Despite this immense pressure, Mamram’s cybersecurity experts managed to fend off every attempt.

Dembinsky did not specify the types of assaults or the level of danger they posed, but she did state that they were all blocked and that no systems were penetrated at any time.

Mamram, the IDF's central computing system unit, is responsible for the infrastructure and defense of the military's remote servers.

Hamas terrorists stormed Israel on October 7, killing over 1,200 people, the majority of them were civilians, and capturing 251. It has also been stated that cyberattacks were launched against Israel on October 7. Dembinsky corroborated this.

The Human Element

While technology played a crucial role, the expertise and dedication of Mamram’s personnel truly made a difference. These cyber warriors worked tirelessly, analyzing attack vectors, identifying vulnerabilities, and devising countermeasures. Their commitment to safeguarding Israel’s digital infrastructure was unwavering.

Since the start of the war, certain cyberattacks have been effective against Israeli civilian computer systems. Iranian-backed hackers targeted the Israel State Archives in November, and it was only recently restored to service. Hackers also successfully targeted the computer systems of the city of Modiin Illit.

The Defense Strategy

Last month, Israel's cyber defense chief, Gaby Portnoy, stated that Iran's cyber attacks have become more active since the commencement of the war, not only against Israel but also against its allies.

GPS Warfare: Ukraine-Israel Tensions Raise Alarms

GPS is used for navigation in almost every device in this age of rapid technological development. Israel may have been involved in recent GPS jamming and spoofing occurrences in Ukraine, according to reports that have revealed a worrying trend. These accidents constitute a serious threat to the worldwide aviation sector and a topic of regional concern. 

The New York Times recently reported on the growing instances of GPS disruptions in Ukraine, shedding light on the potential involvement of Israeli technology. According to the report, Israel has been accused of jamming and spoofing GPS signals in the region, causing disruptions to navigation systems. The motives behind such actions remain unclear, raising questions about the broader implications of electronic warfare on international relations. 

The aviation sector heavily relies on GPS for precise navigation, making any interference with these systems potentially catastrophic. GPS jamming and spoofing not only endanger flight safety but also have the capacity to disrupt air traffic control systems, creating chaos in the skies.

The aviation industry relies heavily on GPS for precision navigation, and any interference with these systems can have dire consequences. GPS jamming and spoofing not only jeopardize the safety of flights but also can potentially disrupt air traffic control systems, leading to chaos in the skies.

The implications of these incidents extend beyond the borders of Ukraine and Israel. As the world becomes increasingly interconnected, disruptions in one region can reverberate globally. The international community must address the issue promptly to prevent further escalations and ensure the safe operation of air travel.

Governments, aviation authorities, and technology experts need to collaborate to develop countermeasures against GPS interference. Strengthening cybersecurity protocols and investing in advanced technologies to detect and mitigate electronic warfare threats should be a priority for nations worldwide.

Preserving vital infrastructure, like GPS systems, becomes crucial as we manoeuvre through the complexity of a networked world. The GPS jamming events between Israel and Ukraine serve as a sobering reminder of the gaps in our technology and the urgent necessity for global cooperation to counter new threats in the digital era.

Israeli Cyber Firms Unveil Groundbreaking Spyware Tool


Israeli cybersecurity companies have made an unparalleled spyware tool available, which has shocked the whole world's computer sector. This new breakthrough has sparked discussions about the ethics of such sophisticated surveillance equipment as well as worries about privacy and security.

According to a recent article in Haaretz, the Israeli cyber industry has unveiled a cutting-edge spyware tool that has been dubbed InsaneT.This highly advanced technology reportedly possesses capabilities that make it virtually impervious to existing defense mechanisms. As the article states, "Israeli cyber firms have developed an insane new spyware tool, and no defense exists."

The tool's sophistication has caught the attention of experts and cybersecurity professionals worldwide. It has the potential to reshape the landscape of cyber warfare and espionage, making it both a remarkable achievement and a significant cause for concern.

The InsaneT spyware tool's capabilities remain shrouded in secrecy, but it is said to be capable of infiltrating even the most secure networks and devices, bypassing traditional security measures with ease. Its existence highlights the ever-evolving arms race in the world of cybersecurity, where hackers and defenders constantly vie for the upper hand.

While the Israeli cyber industry boasts about this technological breakthrough, ethical concerns loom large. The Register, in their recent report on InsaneT, emphasizes the need for a robust ethical framework in the development and deployment of such powerful surveillance tools. Privacy advocates and human rights organizations have already expressed their apprehension regarding the potential misuse of this technology.

As the world becomes increasingly interconnected, issues related to cyber espionage and surveillance gain prominence. The introduction of InsaneT raises questions about the balance between national security interests and individual privacy rights. Striking the right balance between these two conflicting priorities remains an ongoing challenge for governments and technology companies worldwide.

An important turning point in the history of cybersecurity was the appearance of the spyware tool InsaneT created by Israeli cyber companies. Considering the ethical and security ramifications of such cutting-edge technology, its unmatched capabilities bring both opportunities and risks, highlighting the necessity of ongoing discussion and international cooperation. Governments, corporations, and individuals must manage the complexity of cybersecurity as we advance in the digital era to ensure that innovation does not compromise privacy and security.


Iranian Attackers Employ Novel Moneybird Ransomware to Target Israeli Organizations

 

A new ransomware variant called "Moneybird" is currently being used by the threat actor "Agrius," which is thought to be funded by the Iranian government, to target Israeli organisations.

Since at least 2021, Agrius has been using various identities to deliberately target organisations in Israel and the Middle East while using data wipers in disruptive attacks. 

Researchers from Check Point who found the new ransomware strain believe that Agrius created it to aid in the growth of their activities, and that the threat group's use of "Moneybird" is just another effort to hide their footprints.

Modus operandi

According to Check Point researchers, threat actors first acquire access to company networks by taking advantage of flaws in servers that are visible to the public, giving Agrius its first network footing. 

The hackers then conceal themselves behind Israeli ProtonVPN nodes to launch ASPXSpy webshell variations concealed inside "Certificate" text files, a strategy Agrius has employed in the past. 

After deploying the webshells, the attackers employ open-source tools to move laterally, communicate securely using Plink/PuTTY, steal credentials using ProcDump, and exfiltrate data using FileZilla. These tools include SoftPerfect Network Scanner, Plink/PuTTY, ProcDump, and ProcDump.

The Moneybird ransomware executable is obtained by Agrius in the subsequent stage of the attack through reliable file hosting services like 'ufile.io' and 'easyupload.io.'

The C++ ransomware strain will encrypt target files using AES-256 with GCM (Galois/Counter Mode), creating distinct encryption keys for each file and appending encrypted metadata at their conclusion. This process begins immediately after the target files are launched.

In the instances observed by Check Point, the ransomware only targeted "F:User Shares," a typical shared folder on business networks used to hold company records, databases, and other items pertaining to collaboration.

This focused targeting suggests that Moneybird is more interested in disrupting business than in locking down the affected machines. 

Since the private keys used to encrypt each file are produced using information from the system GUID, file content, file path, and random integers, Check Point argues that data restoration and file decryption would be incredibly difficult.

Following the encryption, ransom notes are left on the affected systems, advising the victim to click the provided link within 24 hours for instructions on data recovery. 

"Hello WE ARE MONEYBIRD! All of your data encrypted! If u want you to restore them follow this link with in 24H," reads the Moneybird ransom note. 

Moneybird is thought to be ransomware, not a wiper, in contrast to earlier assaults connected to Agrius, and it is intended to generate money to support the threat actors' nefarious activities. 

However, in the case observed by Check Point Research, the ransom demand was so high that it was understood from the beginning that a payment would probably not be made, effectively rendering the attack harmful. 

"Yes negotiations could be possible but the demand was extremely high, which leads us to believe that it’s part of the trick. They knew no one would pay so the damage and data leaked was expected. It was not a wiper," stated Eli Smadga, Research Group Manager at Check Point Research.

An easy-to-use but powerful ransomware 

According to Check Point, Moneybird depends on an embedded configuration blob rather than command-line parsing, which would enable victim-specific customizations and increased deployment flexibility.

Because the ransomware's behaviour parameters are pre-defined and difficult to customise for each target or situation, the strain is inappropriate for mass marketing efforts. 

But for Agrius, Moneybird remains a powerful instrument for business disruption, and future advancements that result in the release of newer, more powerful versions may make it a serious danger to a wider variety of Israeli organisations.

Upper Galilee Irrigation Systems Crippled by Cyberattack

 


There have been reports of several water monitors malfunctioning on Sunday due to a cyberattack targeting monitoring systems that monitor irrigation systems and wastewater treatment systems. 

It has been found that specific water controllers used to irrigate fields in the Jordan Valley, as well as the Galil Sewage Corporation's sewage control system, were damaged as a result. 

To resolve the issue and restore performance to the systems in both major domains, managers of both major systems pushed their teams to work Sunday morning on the issue. There is no information about the source of the cyberattack. 

Information About Cyberattacks 

It was reported several days earlier that a cyberattack was planned in the region. In the wake of the warning, some farmers turned in their irrigation systems for manual operation instead of remote control and disconnected the remote control option. 

As a result, harm was prevented by the attack. According to a report from Cybersecurity Week, many users who left their systems on remote control had their systems compromised. 

The National Cyber Organization alerted the public last week that anti-Israeli cyber attackers were putting up more attacks throughout Ramadan due to the fasting season. The past week was full of massive cyberattacks against Israeli media organizations, medical websites, government websites, and university websites. There were many holidays observed during this time, including Passover. 

According to Ofer Barnea, chief executive officer of the Upper Galilee Agriculture Company, Israel Hayom reported that three days ago the company was notified of a potential cyber attack. It has been instructed that farmers disconnect the controllers to make contact with them. Someone had not disconnected them this morning, but they insisted they had been disabled since the controllers were still active. The total number of victims is seven. The farmers told the directorate that they could not access their controllers. 

The Israeli Postal Company announced on Sunday that some services would not be available on April 5, the first night of Passover, due to a cyberattack. 

There is a group of hackers who gather every April to participate in Israel. This is a one-day hacking event meant to harm Israel's critical infrastructure and let Israel suffer the damage. 

Several companies and entities are involved in these attacks that are part of an annual event called OPIsrael, a hacking event committed to harming Israel's critical infrastructure every April. 

The Hula Valley region is being targeted by armed bands who target thousands of water monitors. This attack has a direct impact on the physical dimension and, beyond simply causing panic and fear, impacts agricultural areas.

FBI Nearly Adopted NSO's Spyware

According to a report published by the New York Times on Saturday, several agents from the US Federal Bureau of Investigation worked to enhance the rollout of Pegasus, the notorious phone-hacking program created by Israel's NSO Group. 

What is Pegasus?

Once installed, Pegasus spyware enables the user to fully manage a target's phone, allowing them to see messages, listen in on calls, and access the phone as a remote listening device.

Significant numbers of human rights activists, journalists, politicians, and corporate executives were reportedly designated as potential targets of NSO's Pegasus program, which has caused criticism for the Israeli company responsible for its development. 

When smartphones are infected with Pegasus, they effectively become portable surveillance tools that can be used to read the target's messages, browse through the images, or even switch on the user's camera and microphone secretly.

FBI Purchased Pegasus 

The highly classified files, which were provided to the Times in response to a FOIA request, reveal that agency officials had developed guidelines for federal prosecutors concerning how to disclose Pegasus usage in court proceedings and were progressed in organizing to brief FBI heads on the malware.

Additionally, the FBI asserted that Pegasus had never been used to assist an FBI investigation. The FBI only obtained a restricted license for product testing and evaluation, the statement read "There was no functional use in support of any investigation."

The announcement represents a clear admission by the FBI that it purchased Pegasus, one of the most advanced hacking tools in existence.

The FBI examined NSO's Phantom software, which has the ability to hack US phones, earlier this year, the press reported. After learning that NSO's hackers were linked to violations of human rights all around the world and as negative press about the technology spread, the FBI eventually opted against utilizing it.

The New York Times broke the news of the FBI's acquisition of Pegasus in 2019 while the Trump administration was in control. However, the bureau has still not ruled out the potential of using comparable technology in the future, the report said, citing recent court records.

A legal brief submitted on the bureau's behalf last month stated that "just because the FBI eventually decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate, and potentially deploy other similar tools for gaining access to encrypted communications used by criminals."



Iranian Hackers: Israeli Tourism Sites Targeted

A malware targeted websites for the Israeli public transportation companies Dan and Kavim, a children's museum, and a public radio blog. Reportedly, none of the sites were reachable to users by Saturday noon.

On Tuesday, the Sharp Boys hacking group claimed to have stolen data from Israeli travel websites, including ID numbers, addresses, credit card details, and etc.

Websites were compromised 

As per hackers, the affected websites are hotels.co.il, isrotel.com, minihotel.co.il, tivago.co.il, and danhotels.com. Tuesday morning, according to the company, hotels.co.il was inaccessible, however by Tuesday afternoon, the site had loaded. 

"Hello once more! If you don't want your data disclosed by us, contact us as soon as possible," on Friday night, the hackers posted a message on Telegram. A follow-up message stated: "They did not get in touch with us, the first list of data is here " the group said, posting the data online.

Later on Saturday, the gang uploaded what it claimed to be information about customers of the Dan transportation company and a travel agency in a new message that claimed to have more data. "You are under our control no matter where you go, even on your travels. Please keep our name in mind." In an image shared on a Telegram account, Sharp Boys made the statement. 

Everything to know about Sharp Boys cyber gang

According to Israeli media, Sharp Boys is a hacking group with links to Iran that conducts cyber espionage for illicit purposes. 

The Sharp Boys hacker group first appeared in December when it claimed to have affected two Israeli hiking websites. They also claimed to have taken control of the website's backend administration and released a spreadsheet that contained the personal data of 120,000 people. 

In December last year, the group hacked into the Shirbit insurance company in Israel and stole vast volumes of data. When the company declined to pay the $1 million ransom demand, it exposed the data. A spreadsheet that contained personal data and credit card details for 100,000 people was released.

According to a report released on Tuesday by the Israeli cybersecurity firm Check Point, the average weekly number of assaults on businesses in the travel and leisure industry increased globally by 60% in June 2022 compared to the first half of June 2021.

An Israeli Spy Agency, QuaDream, Hacks Devices 

 

According to Reuters, an Apple software loop exploited by Israeli spy firm NSO Group to hack access iPhones in 2021 was also targeted by a competitor at the same time. 

The two companies QuaDream got the capacity to remotely hack into iPhones, compromising the smartphones without the user clicking on a malicious link. The fact the two firms employed the same advanced 'zero-click' hacking technique suggests that cellphones are more prone to digital espionage than the industry admits. 

The two organizations utilized ForcedEntry software exploits to steal iPhones. In the context, it's worth noting that an exploit is a piece of computer code that takes advantage of a set of unique software flaws to provide a hacker unauthorized access to data. 

"People want to feel they're safe, and telecommunications companies want the user to assume they're safe," stated Dave Aitel, a cybersecurity partner at Cordyceps Systems. 

Some notable Israelis have been attacked with Pegasus, according to a recent revelation from the Israeli publication Calcalist, including a son of former Prime Minister Benjamin Netanyahu. "CEOs of government ministries, news reporters, tycoons, corporate executives, mayors, social activists, and even the Prime Minister's relatives were all police targets," according to Calcalist. "Phones were hacked by NSO's spyware prior to any research even opening and without any judicial authorization." 

Some of QuaDream's clients overlapped with NSO Group's  implying that the buyers utilized Pegasus and REIGN for surveillance, specifically targeting political opponents. Surprisingly, the two cyberweapon's techniques were so identical when Apple patched the security weakness, it didn't make a difference. 

Spyware firms have long claimed to sell high-powered technologies to assist governments in combating national security threats. Human rights organizations and journalists, on the other hand, have reported the use of spyware to harm civil society, discredit political opposition, and sabotage elections on numerous occasions. 

Pegasus was also recently discovered on the devices of Finland's diplomatic corps working outside the nation, according to Finnish officials, as well as of a wide-ranging espionage campaign. Pegasus was allegedly installed on the iPhones of at least nine US State Department workers.

Iran-Linked Hackers Attacked Israel's Government and Business Sector

 

In the latest episode of cyberwarfare between the rival states, an Iran-linked hacking gang hit seven Israeli targets in a 24-hour span, according to an Israeli cybersecurity firm. The Israeli "government and business sector" were among the targets of the "Charming Kitten" attack, according to a statement issued late Wednesday by Tel Aviv-based Check Point. 

"Check Point has blocked these attacks, as we witnessed communications between a server used by this group and the targets in Israel," said the firm. "Our reports of the last 48 hours prove that both criminal hacking groups and nation-state actors are engaged in the exploration of this vulnerability."

Charming Kitten, also known as Phosphorous, APT35, Ajax Security Team, ITG18, NewsBeef, and NewsCaster, is a threat actor that has been active since at least 2011 and has targeted entities in the Middle East, the United States, and the United Kingdom. FireEye classified the group as a nation-state-based advanced persistent threat on December 15, 2017, despite its lack of sophistication. Research conducted by FireEye in 2018 suggested that APT35 may be expanding their malware capabilities and intrusion campaigns. Since then, the gang has been known to use phishing to spoof firm websites, as well as false accounts and DNS domains to steal victims' passwords. 

Allegations of cyberwarfare between Iran and Israel have grown more serious in recent months. In October, Israel was implicated in a series of cyberattacks on Iranian infrastructure, including the country's fuel distribution system. The disruption had an unusual impact because it shut down the IT system that allowed Iranians to fill their tanks for free or at reduced prices using a digital card issued by the authorities.

Another reportedly Iran-linked hacker organization, "Black Shadow," claimed responsibility for a cyber-attack on an Israeli internet service provider in October. One of the sites targeted in that incident was Israel's largest LGBTQ dating service, with the hackers demanding ransom payments in exchange for sensitive private information such as the HIV status of the site's users. 

According to the finance ministry, Israel, which prides itself as a cybersecurity leader, hosted a "international cyber financial war game" last week. The United States, Britain, and the United Arab Emirates, which established diplomatic ties with Israel last year, were among those who took part. Germany, Switzerland, and the International Monetary Fund were all present, according to the ministry. Shira Greenberg, a chief economist at Israel's finance ministry, said the exercise underlined "the importance of coordinated global action by governments and central banks in the face of cyber-financial threats."

Israeli Company Spyware Targets US Department Phones

 

According to four individuals familiar with the situation, the iPhones of at least nine U.S. State Department workers had been compromised by an unidentified man using advanced spyware produced by the Israel-based NSO Group. 

The attacks, which occurred in the previous few months, targeted U.S. officials who were either based in Uganda or focused on issues about the East African country, according to two of the sources. 

The attacks, which were first revealed here, are the most extensive known hacks of US officials using NSO technology. Earlier, a database of numbers with prospective targets that included certain American leaders surfaced in NSO reporting, although it was unclear if incursions were always attempted or successful. 

NSO Group stated in a statement that it had no evidence that its tools had been used, but that it had canceled access for the relevant clients and therefore would investigate. 

"If our investigation shall show these actions indeed happened with NSO's tools, such customer will be terminated permanently and legal actions will take place," said an NSO spokesperson, who added that NSO will also "cooperate with any relevant government authority and present the full information we will have." 

NSO has always stated that it exclusively sells its products to government law enforcement and intelligence agencies to assist them in monitoring security concerns and that it is not intimately associated with surveillance operations. 

A State Department official refused to respond to the intrusions and pointed to the Commerce Department's recent decision to place the Israeli corporation on an entity list, making it more difficult for US businesses to do business with them. 

NSO Group and another spyware firm were "added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, business people, activists, academics, and embassy workers," the Commerce Department said in an announcement last month. 

According to product instructions reviewed by Reuters, the NSO application is capable of not just stealing encrypted messages, images, and other confidential material from compromised phones, but also turning them into recording devices to watch their surroundings. 

The developer of the spyware employed in this hack was not named in Apple's advisory to affected consumers. According to two of the people who were alerted by Apple, the victims included American residents who were easily identified as U.S. government officials because they paired email addresses ending in state.gov with their Apple IDs. 

According to the sources, they and other victims alerted by Apple in multiple countries have been affected by the same graphics processing vulnerability. 

The Israeli embassy in Washington stated in a statement that targeting American officials would be a major violation of its norms. 

"Cyber products like the one mentioned are supervised and licensed to be exported to governments only for purposes related to counter-terrorism and severe crimes," an embassy spokesperson said. "The licensing provisions are very clear and if these claims are true, it is a severe violation of these provisions."

Israel Limits Cyberweapons Export List from 102 to 37 Nations

 

The Israeli government has limited the number of nations to which local security businesses can sell surveillance and offensive hacking equipment by nearly two-thirds, reducing the official cyber export list from 102 to 37. 

Only nations with established democracies are included in the new list, which was obtained by Israeli business publication Calcalist earlier today, such as those from Europe and the Five Eyes coalition: 

Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Iceland, India, Ireland, Italy, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, New Zealand, Norway, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, the Netherlands, the UK, and the US. 

Autocratic regimes, to which Israeli corporations have frequently sold surveillance tools, are strikingly absent from the list. Spyware produced by Israeli businesses such as Candiru and the NSO Group has been attributed to human rights violations in tens of nations in recent years, with local governments using the tools to spy on journalists, activists, dissidents, and political opponents. 

The government has not issued a comment on the list's update, according to Calcalist journalists, and it is unclear why it was cut down earlier this month. The timing, on the other hand, shows that the Israeli government might have been driven it to make this choice. 

The list was updated a week after a covert meeting between Israeli and French officials to address suspicions that NSO Group malware was deployed against French President Emmanuel Macron. The announcement coincided with the US sanctioning of four monitoring firms, including Israel's Candiru and NSO Group. 

The penalties are reported to have sent NSO into a death spiral, with the business sliding from a prospective sale to French investors to losing its newly-appointed CEO and perhaps filing for bankruptcy as it has become company-non-grata in the realm of cyberweapons. 

Azimuth Security co-founder Mark Dowd discussed Israeli-based surveillance distributors and their knack for selling to offensive regimes in an episode of the Risky Business podcast last month, blaming it on the fact that these companies don't usually have connections in western governments to compete with western competitors. 

With the Israeli Defense Ministry tightening restrictions on cyber exports to autocratic regimes, the restricted cyber export list is likely to make a significant hole in Israel's estimated $10 billion surveillance sector.

As per a study released earlier this month by the Atlantic Council, there are roughly 224 firms providing surveillance and hacking tools, with 27 of them located in Israel.

Iran's Mahan Airline Targeted in Cyber Attack

 

A cyber-attack against Iran's second-largest airline, Mahan Air has been thwarted, Iranian media reported on Sunday, adding that the airliner's flight schedule was not impacted by the cyber assault.

"Mahan Air's computer system has suffered a new attack. It has already been the target on several occasions due to its important position in the country's aviation industry. Our internet security team is thwarting the cyberattack," airline spokesman Amir-Hossein Zolanvari told state television. 

According to the Daily Sabah, following the attack passengers could not access the airline’s website for hours displaying an error message saying the site couldn’t be reached. Additionally, many customers of Mahan Air across Iran received strange text messages from a group called Hoosyarane-Vatan, claiming to have carried out the attack. 

“We believe the public deserves to know the truth behind this cooperation and the money wasted on IRGC activities abroad while Iranian people suffer at home,” the hacking group said in a statement on the Telegram messaging app. 

Being an Iranian airline, Mahan Air has often found itself in the middle of a political storm. The carrier has been under US sanctions since 2011 for allegedly providing support to the Quds Force and has been associated with alleged shipments of arms from Iran to Shiite groups in Syria, including the Hezbollah terror group. Alleged Israeli airstrikes in Syria have been thought to target Mahan Air weapons shipments in the past. 

“Mahan Air has transported IRGC-QF operatives, weapons, equipment, and funds abroad in support of the IRGC-QF’s regional operations, and has also moved weapons and personnel for Hezbollah,” US Treasury stated in 2019. 

Iran, last month, accused Israel and the United States of a cyberattack on its gas stations that resulted in havoc at fuel pumps nationwide. Iranian President Ebrahim Raisi blamed the hack on anti-Iranian forces seeking to sow disorder and disruption across the nation. 

Days later, Israel's internet infrastructure was targeted by the Iranian Black Shadow hacking group, including against the largest Israeli LGBTQ dating site and an insurance firm. In July, the website of Iran's transport ministry was crippled by what state media said was a "cyber disruption" that caused delays in train services.

Iran Accuses USA and Israel for Carrying Out Fuel Cyberattacks

 

An Iranian General alleged that Israel and US might have planned a cyberattack that caused disruption of fuel in service stations in Iran. The attack which happened on Tuesday is similar to two recent incidents where, as per the general, the attackers might be Iran's rivals: USA and Israel. Two incidents were analyzed, the Shahid Rajaei port incident and the railway accident, and found that these two incidents were similar. Earlier this year, as per Iran's transportation ministry, a cyberattack disrupted its website and computer systems, reports Fars news agency. 

"In a country where petrol flows freely at what are some of the lowest prices in the world, motorists need digital cards issued by the authorities. The cards entitle holders to a monthly amount of petrol at a subsidized rate and, once the quota has been used up, to buy more expensive at the market rate," reports The Security Week. In 2020, Washington Post reported an incident where Israel orchestrated an attack on Iranian port Shahid Rajaei (in Hormuz Strait), a strategic path to global oil shipments. 

The recent cyber disruption resulted in traffic jams in major pockets in Tehran, having long lines at petrol pumps disrupting traffic flow. Following the incident, the oil ministry shut down the service stations in order for easy manual distribution of petrol, said the authorities. On Wednesday, President Ebrahim Raisi alleged that the actors were trying to sway the people of Iran against Islamic Republic leadership. As per the reports, an estimated 3200 out of 4300 of the country's service stations have been re-linked with the central distribution system, said the National Oil Products Distribution Company. 

Besides this, there are other stations who also give fuel to motorists, but not at subsidized rates, which makes it twice in the rates, around 5-6 US cents/litre. The Security Week reports, "Since 2010, when Iran's nuclear program was hit by the Stuxnet computer virus, Iran and its arch-foes Israel and the United States have regularly accused each other of cyberattacks. The conservative Fars news agency on Tuesday linked the breakdown to opponents ahead of the second anniversary of deadly protests sparked by a hike in petrol prices."

70% of WiFi Networks in Tel Aviv were Cracked by a Researcher

 

In his hometown of Tel Aviv, a researcher cracked 70% of a 5,000 WiFi network sample, demonstrating that residential networks are extremely vulnerable and easy to hijack. Ido Hoorvitch, a CyberArk security researcher, first strolled about the city center using WiFi sniffing equipment to collect a sample of 5,000 network hashes for the study. 

The researcher then took the use of a vulnerability that allowed the extraction of a PMKID hash, which is typically generated for roaming purposes. Hoorvitch sniffed with WireShark on Ubuntu and utilized a $50 network card that can function as a monitor and a packet injection tool to collect PMKID hashes. 

Although Hoorvitch highlighted that this form of attack does not require such heavy-duty technology, the team deployed a 'monster' cracking rig made up of eight xQUADRO RTX 8000 (48GB) GPUs in CyberArk Labs. The attack is centered on a weakness found by Hashcat's primary developer, Jens 'atom' Steube. This bug can be used to obtain PMKID hashes and crack network passwords.

"Atom’s technique is clientless, making the need to capture a user’s login in real-time and the need for users to connect to the network at all obsolete," explains Hoorvitch in the report. "Furthermore, it only requires the attacker to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process." 

The generation and cracking of PMKs with SSIDs and different passphrases can then be used to crack PMKID hashes collected by wireless sniffers with monitor mode enabled. This data is created from the right WiFi password when a PMKID is generated that is equal to the PMKID acquired from an access point. Hoorvitch employed a conversion tool and Hashcat, a password recovery software, after sniffing out PMKID hashes with the Hcxdumptool utility. 

According to Hoorvitch, many Tel Aviv residents use their cellphone numbers as their WiFi password, thus it wasn't long before hashes were cracked, passwords were obtained, and doors to their networks were opened. Each crack on the researcher's laptop took around nine minutes in these circumstances. The team was able to break into over 3,500 WiFi networks in and around Tel Aviv. 

Despite the risk of being hacked, most consumers do not set a strong password for their WiFi networks, according to the report. Passwords should be at least ten characters long, contain a mix of lower and upper case letters, symbols, and numerals, and be unique. Keeping your router firmware up to date will also safeguard your hardware from attacks based on vulnerability exploits, according to the researcher. WAP/WAP1 and other weak encryption protocols should be disabled as well.

5 French Minister Phones Affected with Pegasus Spyware

 

At least five French ministers and President Emmanuel Macron's diplomatic advisor mobile phones have been infected by Israel-made Pegasus spyware, whistle-blowers confirmed on Friday 24th of September. 

As per a Mediapart report on Friday, French security agencies have discovered software during the phone inspection, with breaches reported in 2019 and 2020. 

In July Pegasus produced by NSO Group, the Israeli company, was already in the middle of a hurricane following a list of around 50,000 possible surveillance targets worldwide leaking to the media, and was capable of switching the camera or microphone and harbor their data. 

The insinuation was made about two months after the Pegasus Project, the media consortium which included the Guardian, found that a leaked database at the core of the investigatory project included contact information of top France officials, including French President Emmanuel Macron and most of its 20-strong cabinet. 

There is no strong proof of successful hacking of phones of the five cabinet members however media reports suggest that the devices were targeted by the potent spyware known as Pegasus, which is created by the NSO Group. 

Pegasus enables users to track the conversation, text messages, pictures, and location whenever installed effectively by government customers within the Israeli firm and can convert phones into remotely controlled listening devices. 

The consortium of Pegasus Project, organized by the French Forbidden Stories non-profit media, showed that international customers of NSO utilized hacker tools to attack journalists and human rights organizations. 

NSO reportedly stated that its strong malware is designed not to target civilian society members but to probe severe criminals. It has stated it has no link to the leaked database reviewed by the Pegasus Project and also the tens of thousands of numbers included do not target NSO customers. It has also firmly disputed that Pegasus Spyware has always targeted Macron. 

In a statement released on Thursday night, NSO said: “We stand by our previous statements regarding French government officials. They are not and have never been Pegasus targets. We won’t comment on anonymous source allegations.” 

Furthermore, the authenticity of the allegation was verified by two French individuals with knowledge of the inquiry, but they asked not to be named since they had not been allowed to talk to the media. 

"My phone is one of those checked out by the national IT systems security agency, but I haven't yet heard anything about the investigation so I cannot comment at this stage," Wargon told the L'Opinion website Friday. 

Mediapart stated that the handsets of the ministers for education (Jean-Michel Blanquer), Jacqueline Gourault, Julien Denormandie, Emmanuelle Wargon, Sébastien Lecornu and others – displayed indications of the virus Pegasus. The report noted that at the time of the allegations of targeting that happened in 2019 and less often in 2020, not all the Ministers had their current roles, but all were Ministers. The phone of the Macron Diplomatic Consultants at the Elysee Palace was also targeted. 

The Élysée Palace also stated that it would not comment on “long and complex investigations which are still ongoing”. 

The Prosecutor's Office refused to comment or to clarify whether or whether not the ministers' phone hacking had been found, stating that the investigation was subject to judicial confidentiality regulations. Although since the end of July, when the palace officials notified prudence, the Élysée has not reacted to the Pegasus affair and said that “no certainty at this stage”.

Siamesekitten Launches New Operations Against Israeli Organizations


 


To mask their actual objectives, hackers affiliated with the government of Iran have concentrated their offensive efforts on IT and communications businesses in Israel. Ever since least 2018, operations have indeed been ascribed to the APT group of Iranians known as Lyceum, Hexane, and Siamesekitten. 

At the epicenter of a cyberattack on the supply chain, IT and communications companies in Israel has been led by Iranian threat actors who have impersonated businesses and their HR professionals to target victims with fraudulent employment proposals to infiltrate their systems and obtain access to the firms' customers. ClearSky claimed that the cyberattacks on IT and telecom firms are designed to make supply chain attacks on its customers simpler.

The operations, which took place in two phases in May and July 2021, are connected with the hacking group Siamesekitten, which has mainly pinpointed the Middle East and African oil, gas, and telecommunications suppliers. The attackers coupled social engineering technology with an enhanced malware version to provide remote access to the affected machine. 

In one case, the cybercriminals used the username of a former HR manager of ChipPC company to construct a fraudulent LinkedIn profile, a strong indication that the hackers had been doing their research even before the campaign was launched.

In addition to using Lure documents as the initial vector of attacks, its network comprised the establishment of fraudulent websites, which imitated the impersonation of the organization, and the creation of false LinkedIn profiles. The bait files take the shape of a macro-embedded Excel table, detailing alleged job offers and of a portable (PE) file containing a 'catalog' of products utilized by the impersonated firm. 

"This campaign is similar to the North Korean 'job seekers' campaign, employing what has become a widely used attack vector in recent years - impersonation," the Israeli cybersecurity company said. "The group's main goal is to conduct espionage and utilize the infected network to gain access to their clients' networks. As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware." 

Whatever file the victim downloads, the attack chain is completed with a C++-based Milan backdoor installation. The attacks against Israel's enterprises in July 2021 are especially noteworthy since Milan had been substituted by the threat player with a new installation named Shark, written in.NET.

Israeli Firm Assisted Governments Target Journalists & Activists with Zero Days and Spyware

 

Microsoft as part of its Patch on Tuesday fixed two of the zero-day Windows flaws weaponized by Candiru, an Israeli firm in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally. 

According to a report published by the University of Toronto's Citizen Lab, the spyware vendor has also been formally identified as the commercial surveillance firm that Google's Threat Analysis Group (TAG) revealed was exploiting multiple zero-day vulnerabilities in Chrome browser to attack victims in Armenia. 

"Candiru's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers stated.

"This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services." 

Founded in 2014, the private-sector offensive actor (PSOA) — codenamed "Sourgum" by Microsoft — is stated to be the creator of DevilsTongue, an espionage toolkit able to infect and track a wide range of devices across multiple platforms, including iPhones, Androids, Macs, PCs, and cloud accounts. 

After gaining a hard drive from "a politically active victim in Western Europe," Citizen Lab stated it was able to restore a copy of Candiru's Windows spyware, which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 that were leveraged to install malware on victim boxes. 

The infection chain used a combination of browser and Windows vulnerabilities, with the latter being transmitted through single-use URLs emailed on WhatsApp to targets. On July 13, Microsoft patched both privilege escalation issues, which allow an attacker to bypass browser sandboxes and obtain kernel code execution. 

The attacks resulted in the deployment of DevilsTongue, a modular C/C++-based backdoor capable of exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers. Microsoft discovered that the digital weapon could gather data, read the victim's messages, get photos, and even send messages on their behalf using stolen cookies from logged-in email and social media accounts including Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte.

Furthermore, the Citizen Lab study linked two Google Chrome vulnerabilities — CVE-2021-21166 and CVE-2021-30551 — to the Tel Aviv firm, citing similarities in the websites used to disseminate the exploits. 

A total of 764 domains related to Candiru's spyware infrastructure were discovered, many of which purported to be advocacy groups such as Amnesty International, the Black Lives Matter movement, media businesses, and other civil-society-oriented enterprises. 

Saudi Arabia, Israel, the United Arab Emirates, Hungary, and Indonesia were among the countries that ran systems under their authority. 

According to a Microsoft report, an Israeli hacking-for-hire firm has assisted government clients in spying on more than 100 people throughout the world, including politicians, dissidents, human rights activists, diplomatic staff, and journalists.

Among other well-known news outlets, the Guardian and the Washington Post released information of what they termed "global surveillance operations" using Pegasus. The surveillance is said to be aimed at journalists and according to the claims, Pegasus malware is being used to spy on people by over ten nations. 

SOURGUM's malware has so far targeted over 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. 

These attacks mostly targeted consumer accounts, implying that Sourgum's users were pursuing part of the attack. TAG researchers Maddie Stone and Clement Lecigne noticed a rise in attackers utilizing more zero-day vulnerabilities in their cyber offensives in the early 2010s, which they attribute to more commercial vendors offering access to zero-day flaws. 

Microsoft Threat Intelligence Center (MSTIC) stated in a technical rundown, "Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices.” 

"With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks," MSTIC added.

Over 200,000 Students Data Leaked in Cyberattack

 

The personal information of approximately 280,000 students was leaked last week in a cyberattack that targeted the AcadeME company, which serves a variety of colleges and institutions across Israel. Hundreds of thousands of students use AcadeME to get jobs at thousands of companies. 

On June 20, a pro-Palestinian Malaysian hacker group known as "DragonForce" claimed that it hacked into AcadeME and stated in a Telegram message, "THE LARGEST AND MOST ADVANCED STUDENT AND GRADUATE RECRUITMENT NETWORK IN ISRAEL Hacked By DragonForce Malaysia." 

According to the group, emails, passwords, first and last names, addresses, and even phone numbers of students who were enrolled on AcadeME were leaked. Screenshots of code, server addresses, and a table with email addresses and names were all targeted by DragonForce. 

According to May Brooks-Kempler of the Think Safe Cyber Facebook group, the hackers exposed the information of roughly 280,000 students who have utilized the site since 2014. 

As of Monday morning, the AcadeME site had been pulled offline and was labeled as "unavailable." When attempted to visit the site, a notice stated that the site "should be back soon." 

The hackers wrote on Telegram, "This is an urgent call for all Hackers, Human Right Organizations and Activists all around the world to unite again and start a campaign against Israhell, share what is really going on there, expose their terrorist activity to the world. We will never remain silent against israhell war activity." 

The group claimed later that day that it had leaked a "massive" number of Israeli passports. On Friday, the same organization launched DDoS assaults against Bank of Israel, Bank Leumi, and Mizrahi Tefahot, among other Israeli banks. 

Israel's National Cyber Directorate's Warnings: 

Yigal Unna, the chief of Israel's National Cyber Directorate (INCD), cautioned earlier this year that if necessary precautions are not taken, cyberattacks might cripple Israeli academic institutions. 

The chief of the INCD warned that the wide connectivity between academic institutions and other bodies and organizations could constitute a threat to other bodies and result in liability. The message arrived 11 days after a cyberattack on the Ben-Gurion University of the Negev, which resulted in the compromise of several of the university's servers. 

After the breach was found, a joint team of researchers from the INCD and Ben-Technologies, Gurion's Innovation & Digital Division was formed to avoid data leaks and control the situation. 

Though the perpetrator of the attack is still unknown. 

In 2020, the National Cyber Directorate received over 11,000 inquiries on its 119 hotline, a 30 percent increase over the previous year. About 5,000 requests were made to companies to handle vulnerabilities that exposed them to assaults, and about 1,400 entities were contacted about attempted or successful attacks.

Israeli Chief-of-Staff was Hacked by an Iranian State-Sponsored Cybercriminal

 

According to the Times of Israel, an Iranian cybercriminal targeted the computer of a former IDF chief of staff and acquired access to his complete computer database. Yaser Balaghi was identified as the hacker by Channel 10. After the hack, he allegedly brags about it, while also unwittingly leaving a trail of his identity. Iran was compelled to stop a cyber operation that had targeted 1,800 persons around the world, including Israeli army generals, Persian Gulf human rights campaigners, and academics, due to this oversight. 

After Check Point, an Israeli cybersecurity firm, confirmed the Iranian hacking operation's existence two weeks ago, the Times of Israel was the first to report on it. The information from Check Point was also shown in a Channel 10 report on Tuesday. The attack began two months prior, according to Gil Shwed, CEO of Check Point Software Technologies, who told Israel Radio in late January that targets received email messages aimed at installing malware on their computers. More than a quarter of those who received the emails clicked them, unknowingly downloading spyware and allowing the hackers to steal data from their hard drives. 

Hezbollah and the Iranian regime have attacked Israel multiple times in the last two years. In the previous two years, Israel has been the target of several cyberattacks. Some of the infiltration attempts, according to officials, were carried out by hackers linked to Hezbollah and the Iranian government. 

Late in January, Israel's Electric Authority was the target of a significant cyberattack, according to Energy Minister Yuval Steinitz. He didn't say where the attack was coming from, though. ClearSky, an Israeli cybersecurity firm, said in June that it has detected a continuous wave of cyberattacks emanating from Iran against targets in Israel and the Middle East, with Israeli generals once again being among the targets. The company claims that the goal is espionage or other nation-state goals. 

According to ClearSky, the hackers utilize targeted phishing techniques to gather user identity data by creating phoney websites that appear legitimate and trustworthy. They were successful in penetrating 40 targets in Israel and 500 sites worldwide. Retired generals, employees of security consultancy organizations, and academic experts were among the targets in Israel.

Agrius – The Iranian Hacking Group Targets Israel Using Data Wipers

 

The hacking community of Agrius has switched from a strictly destructive wiper malware to a mix of wiper and ransomware functions — and pretends to keep data till the end of attacks. 

SentinelOne investigators announced on Tuesday that Agrius was the first to be found in attacks targeting Israeli groups in 2020, evaluating the threat group's new movements. 

The community utilizes a mixture of its customized toolkits and offensive security software, readily accessible, to deploy either a malicious wiper or a custom wiper-turned-ransomware variant. The attackers asked the targets to pay the ransom to simulate a ransomware attack to conceal the true nature of the attack. 

The Agrius Community has been functioning since the beginning of 2020, as per the experts. Initially targeted aggression in the Middle East area, Agrius expanded its presence since December 2020 to the Israeli targets. 

But unlike the other ransomware groups like Maze and Conti, Agrius doesn't seem to rely on money—instead, ransomware is indeed a recent addition and a boost to the cyber-espionage- and destruction-oriented attacks.

Moreover, Agrius claimed to be robbing and encrypting information for extorting victims in many of the attacks identified by SentinelOne only when the wiper was deployed, however, this information had already been lost. 

Agrius "intentionally masked their activity as a ransomware attack," the researchers said. 

Throughout the initial stages of the attack, Agrius uses tools for the virtual private network (VPN) software, also accessing publicly available applications and services that correspond to its intended target, often via compromised accounts and security vulnerabilities, before trying to exploit them. 

Agrius' toolkit consists of Deadwood, a malicious wiper malware strain, which is also referred to as Detbosit. Deadwood, assumed to be the APT33 work, was related to attacks against Saudi Arabia during 2019. 

The wipers, like Deadwood, Shamoon, and ZeroCleares, have also been linked to APT33 and APT34. 

During attacks, Agrius also drops the IPsec Helper, a custom.NET backdoor to bind to a command-and-control (C2) server. Moreover, a new .NET wiper known as an Apostle is being thrown away. 

Apostle seems to have been upgraded and changed to include usable modules in a recent attack towards state-owned facilities in the United Arab Emirates. Nevertheless, the team argues, that it is not the financial attraction Agrius focuses on throughout development but the disruptive aspects of ransomware — such as the ability to encrypt data. 

SentinelOne claims no "solid" links have indeed been developed with other established threat groups but because of the involvement of Agrius in Iranian issues, the deployment of web-based shells related to variants produced by the Iranians, and the primary use of wipers – an attack tactic linked to Iranian APTs since 2002 – indicated that the group is likely to originate in the Iranian Republic.