OpIsrael – Happy Birthday! My, You’ve Grown Big…

AnonGhost announced a cyber-attack against Israel on April 7, 2014, one year after the last #OpIsrael campaign. To date, more than 6,000 Facebook users have joined different anti-Israel Facebook event pages, and many groups, such as Fallaga, AnonSec, Gaza Hacker Team, Indonesian Cyber Army, and more have declared their support. As you can see, the participants come from all over the world, but mainly North Africa, the Middle East and Southeast Asia. The rest usually use American proxy servers. According to our analysis, most participants are between the ages of 17 and 34.

One of the Campaign Official Images
One of the Campaign Official Images

The campaign has an official dedicated website, designed by the famous hacker Mauritania Attacker from AnonGhost, as well as a new Twitter account. The official website features online notifications about hacked Israeli websites and a list of campaign participants.

The Official Website of the Campaign
The Official Website of the Campaign

The main targets are government and financial websites, alongside defense industries. Recently, however, we have noticed an increasing focus on hacking government websites in Israel.

Moreover, we have identified publications of leaked emails and passwords belonging to thousands of Israelis. Our investigation also revealed intentions to hack and spam smartphones using assorted viruses.

All in all, the scope of the upcoming cyber-campaign appears to be significant. However, we believe that mainly small and private websites will suffer from these attacks.

Evolution of Hacktivist Campaigns

In the next week we are going to see a major hacktivist operation, aimed against Israel, called #OpIsraelBirthday which is supposed to start on the 7th of April. The operation is dubbed “birthday“ since it comes to commemorate the last OpIsrael that took place on the same date last year. In recent weeks, there was a lot of internal debate in SenseCy about what has changed from then to now and what can we expect to see in the coming operation. I think that the results of this debate might be interesting to you as well:

–          DDoS Attacks – DDoS attacks are nothing new, but recently, attackers have started utilizing a new-old approach in the form of reflection attacks. If a year ago the height of the attack topped at 30Gb/sec attacks, it’s more than plausible to assume that we’re going to see one order of magnitude higher than that. This might be ok for a large sized country but for Israel this might cause problems in the ISP infrastructure itself and not just create a denial of service to the target site.

–          Self-Developed Code – If up until now, most of what we have seen coming from the anti-Israel hacktivism groups was reuse of anonymous code, with maybe slight improvements in the UI interface, lately we have started to identify unique/ original code developed by the groups themselves, albeit some of it is dependent on existing code and available libraries but this might be an indicator for things to come.

 AnonGhost DDoSer

AnonGhostDDoSer – Developed by AnonGh0st for OpIsraelBirthday

 

–          Dumps vs. Defacements – It seems that the general objective now is less the defacement of sites and more the ability to create harm and panic through the publication of stolen data dumps. We see more and more details regarding allegedly hacked sites (some of them important) with the promise that the databases will be published on the 7th of April. This is probably the first time these hacktivist groups are trying to achieve a more widespread impact that is, at least in spirit, similar to the terror effect.

–          Shells and RATs – It seems that SQL injections and cross site scripting is shifting from being the end result to being the means in which the hacktivist groups place web shells on their targets or infect the targets with RATs and other malware. It might, in effect, suggest a more coherent effort to cause more sophisticated damages to their targets.

All in all, it seems that the motivation for the attack remains similar, but the magnitude and scope of the upcoming operation seems to be larger and more dangerous than the last one (in terms of tools available and number of participants). However, companies and organizations that are aware of the threat can, in turn, take actions to handle and mitigate these attacks.

March 10 Hacktivist Campaign – “Op” or “Flop”?

Several hacktivist groups planned to launch a cyber assault (“Op”) against Israel on March 10, as a prequel to a major assault scheduled for April 7.

Although the Op was led by the capable militant groups Red Hack (Turkey) and AnonGhost (Tunisia), it did not appear to manifest fully – the scope of the attacks and the extent of damage were marginal at best. Several private Israeli websites were hacked/ DDoSd ?and some email addresses belonging to Bank of Israel employees were leaked (no password or additional details). The Op incorporated several alleged attempts to hack Israeli government sites. One of these was recorded as part of a tutorial on March 9th  – a Tunisian hacker affiliated with AnonGhost uploaded  a tutorial to YouTube explaining to beginners how to hack websites with different tools, in order to participate in the #OpIsrael attacks on April 7, 2014. The video demonstrates an attempt to hack an Israeli government website with ByteDos, LOIC, Snake Bite and more. It should be mentioned that this video is one of many uploaded to YouTube during the preparations for #OpIsrael and during the preparations for #OpIsrael and other cyber campaigns.

https://www.youtube.com/watch?v=uAjmDDxR2Y8&list=UUZuiY5Awp7xdQTzZyqXFywQ

YouTube tutorial of attempted hack of Israeli site
YouTube tutorial of attempted hack of Israeli site

In conclusion, it seems that the March 10 “Op” cannot be labeled a success, not even in terms of a grand rehearsal for the upcoming April campaign.

Gaza’s Electronic Battalion

There are many hacker groups with an anti-Israeli agenda that express their empathy with Gaza, for example the Gaza Hacker Team, Anonymous Gaza or the Electronic Battalion of Gaza (Katibat Gaza el-Electroniyya, or KGE).

On September 28, 2013, the anniversary of the “al-Aqsa Intifada”, the KGE launched the “al-Aqsa Electronic Intifada” on their Facebook page. They uploaded an official video to YouTube inviting hackers from all over the world to attack Israel, proposing official and financial websites as targets. Many hackers showed their support via social networks and several news websites reported on the upcoming attack. They did not manage to hack any important target, although the group uploaded images from an Israeli database, claiming that they belonged to Israeli soldiers.

KGE invites hackers to join al-Aqsa electronic Intifada
KGE invites hackers to join al-Aqsa electronic Intifada

The KGE has different platforms, such as a Facebook page, YouTube channel, Pastebin account, Google+ and a website (currently offline). According to their Facebook group page, they have over 600 members and supporters. One of them is Nasser Isam (nicknamed Neso), a hacker from Gaza who administers one of the group’s pages on Facebook.

Neso Isam's Facebook page
Neso Isam’s Facebook page

We found an image on Facebook of a tool called “KGE Doser”. This may indicate that the group has the ability to develop hacking tools. The group has not mentioned new targets recently, although they have promised to wage cyber attacks in the near future. Who knows when we will hear from them again?

March 10, 2014 – Anti-Israeli Hackers Plan a Cyber Campaign against Israel

On February 9, 2014, anti-Israeli hacker groups announced a cyber operation against Israel scheduled for March 10. According to a press release issued on Pastebin, all hacktivists worldwide are called upon “to wipe Israel yet again off the cyber web on March 10th, 2014 on the anniversary of Israels attack on Palestinian leader Yasser Arafat’s office in Gaza City”.

#OpIsrael3.0 press release
#OpIsrael3.0 press release

The attackers published a target list of about 1,360 websites, including government websites, banks and financial institutions, media outlets, academic institutions, defense industry, etc. We have identified several hacker groups that will participate in the campaign. One of them is AnonGhost that initiated the April 7, 2014 campaign. Another interesting group is RedHack – a Turkish hacker group that recently waged several high-profile attacks.

The attackers have also created an official Twitter account and a Facebook page, where they have posted links to download various attack tools, such as  DDoS, SQL, RAT, keyloggers and more.

@OpIsrael3 Twitter account
@OpIsrael3 Twitter account

As was the case in previous campaigns, we assume that pro-Palestinian hacker groups will launch cyberattacks against Israeli websites, but with a low success rate, especially with regard to banks and critical infrastructure websites.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

Bad Habits can be Contagious

Written by Hila Marudi and Tanya Koyfman

As the saying goes, bad habits can be contagious… Our experience shows that expertise in illegal fields and sophisticated methods developed to break the law are traits shared among criminals that sometimes find their way across the globe, between places located thousands of miles apart from each other.

Many instances of this phenomenon can be seen in the sphere of physical threats. Weapons and techniques that evolve in one conflict zone and are proven efficient are quickly transmitted to other battlefields and adopted by other terror organizations with totally different agendas to the original one. For instance, our colleagues that trace developments in the physical world recently noticed that explosive “suicide” belts (PBIEDs) that were first deployed in the Caucasus region have found their way into the Syrian conflict, and further afield, into Iraq. These devices are likely intended for use by militants who may choose to initiate the device as a last resort when cornered, thus taking out their adversaries with them.

The cyber battlefield is no exception. Web platforms are used to share information and knowledge, often overcoming language obstacles. Once a hacker manages to code an efficient malware or to reveal a crucial vulnerability, we should not be surprised to find it has soon spread on forums associated with groups that totally differ in agenda and motive. This time we wish to focus on the exchange of capabilities between Russian cyber-criminalists and Arab hackers and hacktivists.

We recently identified discussions on Arab hacker forums about tools developed by their colleagues around the world. For example, on Dev-Point, an Arab forum that deals with programming and penetration testing, one member published a thread about a DDoS tool with a Russian interface named Dirt Jumper. We continued to follow the research into this tool in Arabic and found another message on a hacking forum named v4-team, asking for links to Dirt Jumper.

A thread in Arabic about Dirt Jumper
A thread in Arabic about Dirt Jumper

This malware was already recognized on the Russian underground in 2011, where it was sold for $600 on closed Russian forums. Later, its files were leaked on one of these forums, and today it can be downloaded at no charge. We can only guess at how it “travelled” from a closed Russian forum to an Arabic one, but obviously it took a while.

Post about Dirt Jumper on a Russian underground forum
Post about Dirt Jumper on a Russian underground forum

This exchange of abilities has also been witnessed in the opposite direction. The LostDoor RAT is a popular malware found on Russian forums. Links for downloading versions of the malware are periodically posted on several platforms and discussions about its abilities are held. A deeper investigation of this malware revealed its origins to be Tunisian, owing to the fact that it is displayed on different platforms as the first Tunisian RAT tool.

LostDoor is a product by a company named Hackers®Insides Inc. and its developer is a Tunisian computer specialist nicknamed Unique Oussamio. He often uploads links to new versions of his tool via Twitter, Facebook and a dedicated blog.

Apparently, Oussamio has ties to hacktivism, as he uploaded pictures of himself wearing an Anonymous mask. This may indicate a trend, when malware developed by hacktivists spreads into the cyber-crime world.

LostDoor and its Tunisian developer
LostDoor and its Tunisian developer

To conclude, in the hacker world it does not matter where the malware originates. Northern Africa or Eastern Europe – the only thing that matters is its efficiency. If it can cause enough damage, it will find a way to reach the “right hands” (and shortly afterwards your computer).

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco. 

Torshammer666 – A New Variant of a DDoS Python Based Tool

Lately we have seen a new version of the Torshmmaer DDoS tool, created by An0nsec hackers. An0nsec hacker group was established at 2012. The group members have links to the infamous hacker group AnonGhost that initiated several cyber operations last year, such as OpUSA, OpPetrol, and OpIsrael. They usually leak details from databases of companies and countries around the world, such as China, Canada and Russia. They also deface websites.

Torshammer is a well-known Python based DDoS script, which is meant for slow POST Denial-of-Service attacks. Originally developed by Packet Storm Security in 2011, it has made the rounds and has been in use by Anonymous, Lulzsec and other Hacktivist groups. As is evident in the name of the tool, it allows the usage of Tor proxies in order to masquerade the attacker’s IP addresses.

The version that we have found (dubbed torshammer666) is tweaked in several places, adding the following functionality to the tool:

Ability to send GET Requests

Up until now the Torshammer tool had support for POST requests, now the ability to send GET requests is incorporated. The GET requests are structured as follows:

GET

The POST request has also changed and the Cache-Control and Accept-Charset HTTP headers have been added to it.

POST

Additional User Agent strings

Torshammer666 now supports three more UA strings:

Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0

Below is a comparison table between the two tools:

User Agent Strings – Torshammer User Agent Strings – Torshammer666
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Googlebot/2.1 (http://www.googlebot.com/bot.html)Opera/9.20 (Windows NT 6.0; U; en)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

Opera/10.00 (X11; Linux i686; U; en) Presto/2.2.0

Mozilla/5.0 (Windows; U; Windows NT 6.0; he-IL) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Firefox/3.6.13

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)

Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100804 Gentoo Firefox/3.6.8

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Googlebot/2.1 (http://www.googlebot.com/bot.html)Opera/9.20 (Windows NT 6.0; U; en)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

Opera/10.00 (X11; Linux i686; U; en) Presto/2.2.0

Mozilla/5.0 (Windows; U; Windows NT 6.0; he-IL) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Firefox/3.6.13

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)

Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100804 Gentoo Firefox/3.6.8

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html),

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)

Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0