On December 31, 2018, a cybercrime group going by the handle The Dark Overlord (hereafter TDO) claimed he had hacked an unnamed company, and exfiltrated a large volume of sensitive documents related to the 9/11 terror attacks-related lawsuits. TDOaims to extort the impacted organizations into paying a Bitcoin ransom and he already published batches of the leakage after creating a public auction system, where anyone can contribute Bitcoins to unlock new documents. Continue reading “What will The Dark Overlord Do Next – a CTI Assessment”
PyLocky represents a new ransomware strain that was detected in the wild in late July 2018, and whose volume of infections increased throughout the month of August. The malware is usually distributed through malspam emails claiming to link to a fake payment invoice, and it features advanced anti-detection and anti-sandbox capabilities. Notably, infection telemetry data shows that PyLocky mainly targeted France and German cyberspace, but ransom notes also exist in Italian and Korean.
On September 11, 2018, we detected the leakage of PyLocky source code on Pastebin. Thus far, the incident has not received media attention. However, the paste was viewed by over 2,500 users. Therefore, our assessment is that this leakage might lower the barrier to entry for wannabe cybercriminals, possibly leading to an increase in malspam campaigns distributing this malware strain in the future. Continue reading “PyLocky Ransomware Source Code Leaked Online”
Written by Hila Marudi, Yotam Gutman and Gilad Zahavi
The #OpIsrael Birthday campaign took place as scheduled on April 7 and involved thousands of participants from all over the Muslim world, from Indonesia in the East to Morocco in the West.
It seems that the bulk of the activity focused on leaking data obtained from various breached databases. Some of the data published was simply a recycling of older data dumps, but some was new and included email addresses, passwords and personal details.
Hundreds of government email addresses were leaked and posted on Pastebin. In addition, private password-protected website databases were also leaked. The Islamic Cyber Resistance Group (ICRG), affiliated with Hezbollah and Iran, leaked hundreds of Bar-Ilan University email addresses and defaced a sub-domain of the University’s website.
Summary of the groups participating in the campaign:
|Group name||Group Details||Activity|
|AnonGhost||Tunisian, the campaign instigator||Defaced hundreds of sites, developed and distributed an attack tool named “AnonGhost DDoSer”, leaked email addresses|
|AnonSec||Pro-Palestinian Muslim group||Leaked government email addresses, defaced websites and launched DDoS attacks|
|Fallaga||Tunisian||Built web-based attack tools and shells, launched DDoS attacks against government sites|
|Security_511||Saudi group||Launched DDoS attacks against government sites and leaked government email addresses|
|Izzah Hackers||Pro-Palestinian Muslim group||Launched DDoS attacks against websites and leaked email addresses|
|Hacker Anonymous Military||Pro-Palestinian Muslim group||Launched DDoS attacks against government sites, leaked government email addresses and defaced websites|
|Moroccan Agent Secret||Moroccan Group||Defaced websites and leaked email addresses|
According to the campaign’s official website, approximately 500 Israeli websites were defaced by AnonGhost, most of which were SMBs and private websites.
According to our analysis, we have not witnessed a dramatic change since the previous OpIsrael campaign that took place on April 7, 2013. We can think of at least two reasons for that:
- The level of awareness and readiness in large organizations (but also in small ones) has improved and is improving each day.
- During this campaign we have not seen attacks waged by nation-state actors such as the Syrian Electronic Army, the Izz ad-Din al-Qassam Cyber Fighters and others.
It appears that the attackers focused on attacking government sites and leaking databases. In addition, the number of authentic dumps containing email addresses, passwords and personal details was much bigger than the last campaign.
However, under the surface we have been noticing in recent weeks an emerging and concerning trend. We know that hacktivist groups and terrorist organizations try to develop their own capabilities. Those groups are also share information between themselves (guide books, scripts, tutorials). Lately we even have identified exchange of capabilities between Russian cyber criminals and anti-Israeli hackers and hacktivists.
The next phase, and we are not there yet, might be the purchase of advanced cyber weapons by terrorist organizations. It can be only a matter of time until terrorist groups (al-Qaeda for example) use sophisticated tools to attack critical infrastructure systems. If this happens, the results of the next OpIsrael campaign would be completely different.
On February 9, 2014, anti-Israeli hacker groups announced a cyber operation against Israel scheduled for March 10. According to a press release issued on Pastebin, all hacktivists worldwide are called upon “to wipe Israel yet again off the cyber web on March 10th, 2014 on the anniversary of Israels attack on Palestinian leader Yasser Arafat’s office in Gaza City”.
The attackers published a target list of about 1,360 websites, including government websites, banks and financial institutions, media outlets, academic institutions, defense industry, etc. We have identified several hacker groups that will participate in the campaign. One of them is AnonGhost that initiated the April 7, 2014 campaign. Another interesting group is RedHack – a Turkish hacker group that recently waged several high-profile attacks.
The attackers have also created an official Twitter account and a Facebook page, where they have posted links to download various attack tools, such as DDoS, SQL, RAT, keyloggers and more.
As was the case in previous campaigns, we assume that pro-Palestinian hacker groups will launch cyberattacks against Israeli websites, but with a low success rate, especially with regard to banks and critical infrastructure websites.
SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.