Search This Blog

Showing posts with label Israel. Show all posts

Israeli Chief-of-Staff was Hacked by an Iranian State-Sponsored Cybercriminal

 

According to the Times of Israel, an Iranian cybercriminal targeted the computer of a former IDF chief of staff and acquired access to his complete computer database. Yaser Balaghi was identified as the hacker by Channel 10. After the hack, he allegedly brags about it, while also unwittingly leaving a trail of his identity. Iran was compelled to stop a cyber operation that had targeted 1,800 persons around the world, including Israeli army generals, Persian Gulf human rights campaigners, and academics, due to this oversight. 

After Check Point, an Israeli cybersecurity firm, confirmed the Iranian hacking operation's existence two weeks ago, the Times of Israel was the first to report on it. The information from Check Point was also shown in a Channel 10 report on Tuesday. The attack began two months prior, according to Gil Shwed, CEO of Check Point Software Technologies, who told Israel Radio in late January that targets received email messages aimed at installing malware on their computers. More than a quarter of those who received the emails clicked them, unknowingly downloading spyware and allowing the hackers to steal data from their hard drives. 

Hezbollah and the Iranian regime have attacked Israel multiple times in the last two years. In the previous two years, Israel has been the target of several cyberattacks. Some of the infiltration attempts, according to officials, were carried out by hackers linked to Hezbollah and the Iranian government. 

Late in January, Israel's Electric Authority was the target of a significant cyberattack, according to Energy Minister Yuval Steinitz. He didn't say where the attack was coming from, though. ClearSky, an Israeli cybersecurity firm, said in June that it has detected a continuous wave of cyberattacks emanating from Iran against targets in Israel and the Middle East, with Israeli generals once again being among the targets. The company claims that the goal is espionage or other nation-state goals. 

According to ClearSky, the hackers utilize targeted phishing techniques to gather user identity data by creating phoney websites that appear legitimate and trustworthy. They were successful in penetrating 40 targets in Israel and 500 sites worldwide. Retired generals, employees of security consultancy organizations, and academic experts were among the targets in Israel.

Agrius – The Iranian Hacking Group Targets Israel Using Data Wipers

 

The hacking community of Agrius has switched from a strictly destructive wiper malware to a mix of wiper and ransomware functions — and pretends to keep data till the end of attacks. 

SentinelOne investigators announced on Tuesday that Agrius was the first to be found in attacks targeting Israeli groups in 2020, evaluating the threat group's new movements. 

The community utilizes a mixture of its customized toolkits and offensive security software, readily accessible, to deploy either a malicious wiper or a custom wiper-turned-ransomware variant. The attackers asked the targets to pay the ransom to simulate a ransomware attack to conceal the true nature of the attack. 

The Agrius Community has been functioning since the beginning of 2020, as per the experts. Initially targeted aggression in the Middle East area, Agrius expanded its presence since December 2020 to the Israeli targets. 

But unlike the other ransomware groups like Maze and Conti, Agrius doesn't seem to rely on money—instead, ransomware is indeed a recent addition and a boost to the cyber-espionage- and destruction-oriented attacks.

Moreover, Agrius claimed to be robbing and encrypting information for extorting victims in many of the attacks identified by SentinelOne only when the wiper was deployed, however, this information had already been lost. 

Agrius "intentionally masked their activity as a ransomware attack," the researchers said. 

Throughout the initial stages of the attack, Agrius uses tools for the virtual private network (VPN) software, also accessing publicly available applications and services that correspond to its intended target, often via compromised accounts and security vulnerabilities, before trying to exploit them. 

Agrius' toolkit consists of Deadwood, a malicious wiper malware strain, which is also referred to as Detbosit. Deadwood, assumed to be the APT33 work, was related to attacks against Saudi Arabia during 2019. 

The wipers, like Deadwood, Shamoon, and ZeroCleares, have also been linked to APT33 and APT34. 

During attacks, Agrius also drops the IPsec Helper, a custom.NET backdoor to bind to a command-and-control (C2) server. Moreover, a new .NET wiper known as an Apostle is being thrown away. 

Apostle seems to have been upgraded and changed to include usable modules in a recent attack towards state-owned facilities in the United Arab Emirates. Nevertheless, the team argues, that it is not the financial attraction Agrius focuses on throughout development but the disruptive aspects of ransomware — such as the ability to encrypt data. 

SentinelOne claims no "solid" links have indeed been developed with other established threat groups but because of the involvement of Agrius in Iranian issues, the deployment of web-based shells related to variants produced by the Iranians, and the primary use of wipers – an attack tactic linked to Iranian APTs since 2002 – indicated that the group is likely to originate in the Iranian Republic.

N3TW0RM Ransomware: Emerges in Wave of Cyberattacks in Israel

 

In a surge of cyberattacks that began last week, a new ransomware group known as 'N3TW0RM' is targeting Israeli companies. 

N3TW0RM, like other ransomware gangs, has set up a data leak platform where they threaten to release stolen files to threaten victims into paying a ransom. At least four Israeli companies and one nonprofit organization were successfully breached in this wave of attacks, according to Israeli news outlet Haaretz. 

Two Israeli companies, H&M Israel and Veritas Logistic have already been mentioned on the ransomware gang's data leak, with the threat actors allegedly leaking data stolen during the Veritas attack. According to Israeli media and BleepingComputer, the ransomware gang has not demanded especially large ransoms in comparison to other enterprise-targeting attacks. Veritas' ransom demand was three bitcoins, or roughly $173,000, as per Haaretz, while another ransom note shared with BleepingComputer indicates a demand of four bitcoins, or roughly $231,000. 

As per the WhatsApp message circulated by Israeli cybersecurity researchers, the N3TW0RM ransomware shares several characteristics with the Pay2Key attacks that took place in November 2020 and February 2021. 

Pay2Key has been linked to the Fox Kitten hacking group, an Iranian nation-state hacking group whose mission was to disrupt and damage Israeli interests rather than collect a ransom payment. At this time, no hacker groups have been linked to the N3TW0RM attacks. 

One source in the Israeli cybersecurity industry told BleepingComputer that N3TW0RM is also being used to sow havoc for Israeli interests as given the low ransom demands and lack of response to negotiations. However, according to Arik Nachmias, CEO of incident response firm Honey Badger Security, the attacks in N3TW0RM's case are motivated by money. 

While encrypting a network, threat actors typically distribute a standalone ransomware executable to each system they want to encrypt but N3TW0RM uses a client-server model. The N3TW0RM threat actors install a programme on a victim's server that will listen for connections from the workstations, thus according to samples [VirusTotal] of the ransomware seen by BleepingComputer and conversations with Nachmias. 

The threat actors then use PAExec to deploy and execute the'slave.exe' client executable on every device that the ransomware will encrypt, according to Nachmias. When encrypting files, the '.n3tw0rm' extension will be appended to their titles. 

According to Nachmias, the server portion would save the keys in a file and then instruct the clients to start encrypting devices. This strategy helps the threat actor to keep all aspects of the ransomware activity inside the victim's network without having to rely on a remote command and control server.

However, it increases the attack's complexity and can allow a victim to recover their decryption keys if all of the files are not deleted after the attack.

Iran Natanz Nuclear Facility Struck by a Blackout Labelled as an Act of “Nuclear Terrorism”

 

On Sunday 11th of April, just hours after newly developed centrifuges, which could enrich uranium faster were launched in Iran, the underground nuclear facility of Natanz lost its control. Iran labeled the blackout as an act of "nuclear terrorism." It raised regional tensions on Sunday as the world powers proceed to negotiations over Tehran's tattered nuclear deal. 

Amid arbitration over the troubling nuclear agreement with the world powers, this is the most recent event. As Iranian officials examined the failure, several news organizations in Israel speculated that this was a cyber-attack. Although the reports did not include an evaluation source, the Israeli media have close ties with the military and intelligence agencies of the country. 

If Israel triggered the blackout, the strains between the two countries which were already involved in the shadow conflict over the wider Middle East would now be increased. The USA, Israel's primary security partner, has also been complicating attempts to re-enter the nuclear agreement to restrict Tehran so that a nuclear weapon couldn't be pursued if the US so wishes. U.S. Defence Secretary Lloyd Austin arrived in Israel on Sunday when reports about the blackout came up for talks with Netanyahu and Israeli Defence Minister Benny Gantz.

Civil program spokesperson for nuclear programs Behrouz Kamalvandi told Iranian state TV that power in Natanz has been cut across all the installations which include above-ground workshops and underground halls. “We still do not know the reason for this electricity outage and have to look into it further,” he said. “Fortunately, there was no casualty or damage and there is no particular contamination or problem.” 

Malek Shariati Niasar, a Teheran-based politician who has been serving as spokesman on the Iranian energy committee, posted on Twitter that the incident seemed ‘very suspicious.’ He even said that lawmakers are looking for further information. The International Atomic Energy Agency in Vienna, which monitors the Iranian program, said that it was "aware of the media reports" but still did not elaborate on it. 

Tehran has scrapped all restrictions off its uranium stock after President Donald Trump withdrew from the Iran nuclear agreement in 2018. It now enriches up to 20% purity, a technological move away from 90% firearms. Iran maintains a peaceful nuclear policy. 

Natanz was primarily constructed underground to resist enemy airstrikes. In 2002, when satellite images depicted Iran constructing its underground centrifugal plant on a location some 200 km to the south of Tehran, it became a flashpoint for Western fears of Iran's nuclear program. At its sophisticated centrifuge assembly plant in July, Natanz encountered a mysterious explosion that the officials later identified as sabotage. Now Iran is reconstructing deep inside a nearby mountain to recreate the facility. 

Kan, a Public broadcaster , said Israel would probably have been behind the attack, referencing Israel's supposed responsibility for the attacks in Stuxnet a decade ago. Though no source or description of how this was evaluated was included in any of the reports.

Iranian Hackers Attack Israel Water Facility, Gain Access To HMI Systems

 

An Iranian hacking group gained passage to an unsafe Israeli water facility ICS. The hackers also posted the video on the internet to show the credibility of the attack. Experts from OTORIO, an industrial cybersecurity firm, informed an Iranian hacking group hacked into the HMI (human-machine interface). Taking advantage of the insecure HMI system, hackers gained access and later posted the video. 

In the video published on December 1, 2020, the hackers claim an attack on a recycled water facility in Israel. "The reservoir's HMI system was connected directly to the internet, without any security appliance defending it or limiting access. Furthermore, at the publication time, the system did not use any authentication method upon entry. It gave the attackers easy access to the design and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature, and more. All the adversaries needed was a connection to the world-wide-web and a web browser," reports the OTORIO blog post. 

By gaining access, it might have let the hackers communicate with the water facility's process. For this, the hackers may have modified the parametric values like temperature and water pressure. The administrators secured the system on December 2; however, the system was still unprotected online. OTORIO says, "however, the system is still accessible through the internet without any barrier. Although this may prevent unskilled adversaries from accessing the system, those with a minimal toolbox can most likely compromise the system." 

As of now, experts don't know if the attack caused any damage. Cybersecurity experts believe the hacking group behind the attack is "Unidentified Team," which posted the video on its Telegram channel. The group has also attacked other institutes in the past, including American educational websites. "In the Israeli reservoir case, even minimal steps, such as authentication and restricting access, were not taken. This led to an easy compromise of the system. To fully protect SCADA devices, a more active approach should be applied. This includes secure remote access (e.g., VPN), access restriction based on Firewall rules, and active defense-in-depth methods," says OTORIO.

Israeli Security Company NSO Pretends to Be Facebook


As per several reports, Facebook was imitated by an Israeli security company that is known as the “NSO Group” to get the targets to install their “phone-hacking software”.

Per sources, a Facebook-like doppelganger domain was engineered to distribute the NSO’s “Pegasus” hacking contrivance. Allegedly, serves within the boundaries of the USA were employed for the spreading of it.

The Pegasus, as mentioned in reports, if installed once, can have access to text messages, device microphone, and camera as well as other user data on a device along with the GPS location tracking.

NSO has denied this but it still happens to be in a legal standoff with Facebook, which contends that NSO on purpose distributed its software on WhatsApp that led to the exploitation of countless devices. Another allegation on NSO is about having delivered the software to spy on journalist Jamal Khashoggi before his killing, to the government of Saudi Arabia, citing sources.

Facebook also claimed that NSO was also behind the operation of the spyware to which NSO appealed to the court to dismiss the case insisting that sovereign governments are the ones who use the spyware.

Per sources, NSO’s ex-employee, allegedly, furnished details of a sever which was fabricated to spread the spyware by deceiving targets into clicking on links. The server was connected with numerous internet addresses which happened to include the one that pretended to be Facebook’s. And Facebook had to buy it to stop the abuse of it.

As per reports, package tracking links from FedEx and other links for unsubscribing from emails were also employed on other such domains.

NSO still stand their ground about never using the software, themselves. In fact they are pretty proud of their contribution to fighting crime and terrorism, mention sources.

Security researchers say that it’s almost impossible for one of the servers to have helped in the distribution of the software to be within the borders of the USA. Additionally, reports mention, NSO maintains that its products could not be employed to conduct cyber-surveillance within the United States of America.

Facebook still holds that NSO is to blame for cyber-attacks. And NSO maintains that they don’t use their own software.

Vulnerability in DNS Servers Discovered By Academics from Israel


A vulnerability in DNS servers that can be exploited to launch DDoS attacks of huge extents was as of late discovered by a team academics from Israel, the attack as indicated by them impacts recursive DNS servers and the procedure of DNS delegation.

In a research paper published, the academics from the Tel Aviv University and The Interdisciplinary Center in Herzliya, Israel, said they figured out how to abuse this delegation procedure for DDoS attacks. 

The NXNSAttack technique has various aspects and varieties, yet the fundamental steps are detailed below:

1) The attacker sends a DNS query to a recursive DNS server. The solicitation is for a domain like "attacker.com," which is overseen through an attacker-controlled authoritative DNS server. 

2) Since the recursive DNS server isn't approved to resolve this domain, it forwards the operation to the attacker's malicious authoritative DNS server. 

3) The malignant DNS server answers to the recursive DNS server with a message that likens to “I’m delegating this DNS resolving operation to this large list of name servers." The list contains a large number of subdomains for a victim website.

4) The recursive DNS server forwards the DNS inquiry to all the subdomains on the list, giving rise to a surge in traffic for the victim's authoritative DNS server.



The Israeli researchers said they've been working for the past few months with the producers of DNS software; content delivery networks, and oversaw DNS suppliers apply mitigations to DNS servers over the world. 

Affected software incorporates the likes of ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667), yet additionally commercial DNS administrations provided by organizations like Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN.



Patches have been discharged over the previous weeks. They incorporate mitigations that keep attackers from mishandling the DNS delegation procedure to flood different DNS servers.

The research team's work has been properly detailed in a scholarly paper entitled "NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities," available for download in PDF format.

Flaw in WhatsApp could allow hackers alter messages







A cybersecurity firm has unearthed flaws in the messaging app WhatsApp that could let hackers alter users messages and change the texts.

Israeli-based cybersecurity firm Check Point Research (CPR) discovered the flaw, which could be exploited in three ways,  and warned that 'malicious actors' could easily use the glitch to spread misinformation and fake news.

 The experts detailed their findings at the Black Hat cyber-security conference in Las Vegas, which was attended by many other cybersecurity experts.

They screened a video in support of their findings. The video showed how swiftly a message can be manipulated.

The team claim that they notified Facebook about the issue last year, but they did not heed to their claims, as a result, it is yet to be resolved. 

In a written statement released by the CPR's site, the company said: 'Towards the end of 2018, Check Point Research notified WhatsApp about new vulnerabilities in the popular messaging application that would enable threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources.

'We believe these vulnerabilities to be of the utmost importance and require attention.' 
However, WhatsApp spokesman declined to comment.



Israeli spyware firm NSO can mine data from social media accounts









An Israeli spyware firm has claimed that they can scoop  user data from the world’s top social media, the Financial Times report. 

The powerful malware Pegasus from NSO Group is the same spyware that breached WhatsApp data earlier this year. 

The firm said that this time their malware can scrap data from the servers of Apple, Google, Amazon, Facebook, and Microsoft. 

According to the reports of the Times, the NSO group had “told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch”.

However, the companies spokesperson denied the allegation in a in written statement to AFP’s request for comment. 
“There is a fundamental misunderstanding of NSO, its services and technology,” it said.

“NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure as listed and suggested in today’s FT article.”

In the mean time, Amazon and Google told AFP that they have started an investigation on the basis of report, but so far found no evidence that the software had breached their systems or customer accounts.




WhatsApp vulnerability let attackers install Israeli Spyware on phones





A new vulnerability discovered in the WhatsApp allowed attackers install a malicious code on iPhones and Android phones by ringing up a target device.

“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” WhatsApp said. 

The company discovered the vulnerability and later issued a security patch, although till now, it is not known how many people have been affected by this. 

According to the reports, the attackers targeted the device by just placing a call, even if you didn’t answered a call, the malicious code could be transmitted to your phone and a log of the call often disappeared. 

WhatsApp is urging all its users to upgrade their app after it released a software update yesterday. 

'We believe a select number of users were targeted through this vulnerability by an advanced cyber actor,' WhatsApp told the Financial Times.

'This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.

As per the Financial Times reports, the spyware was developed by NSO Group, an Israeli cybersecurity and intelligence company.


Iranian Hackers Come Worryingly close To Israel’s Missile Warning System





Israel's military scrambles to protect alerts from being undermined as Iranian hackers came 'worryingly close' to their missile warning system. In the wake of observing them to recognize their intent, the military blocked them after distinguishing the hackers in 2017 and when it turned out to be clear what their objective was.

Brigadier General Noam Shaar, outgoing head of the cyber defense division in the army's Cyber Defense Directorate, who has been associated with building up Israel's cyber defense operations for as far back as 20 years, says that,“We dealt with them and built another barrier and another monitoring system to make sure we could stop them if they tried again. We can’t wait until Iranian cyber becomes a major, major threat,”

While the U.S. - based cyber security firm FireEye Inc. in the wake of following attackers for a while, said in January that Iran could be behind a rush of hacks on government and communications infrastructure over the Middle East, North Africa, Europe and North America, Iran’s Information and Communications Technology Ministry and Telecommunications Ministry had no remarks on its supposed exercises.

In any case Iran has blamed Israel for cyber-attacks, as well, most recently in November when it said it rebuffed an Israeli cyber-attack on its telecommunications infrastructure.

Rhea Siers, a former senior official at the U.S. National Security Office, even says that, “The Iranians have been eager ‘to make themselves known’ in the cyber domain and have certainly done so, while it is certainly true that Israel is a key Iranian cyber target, that is different than assessing Iran’s strength across the entire cyber domain.”