Nov 15, 2021
108 Views
0 0

Moses Staff hackers wreak havoc on Israeli orgs with ransomless encryptions

Written by

New Microsoft emergency updates fix Windows Server auth issues
7 million Robinhood user email addresses for sale on hacker forum
FBI system hacked to email ‘urgent’ warning about fake cyberattacks
High severity BIOS flaws affect numerous Intel processors
New Rowhammer technique bypasses existing DDR4 memory defenses
Emotet malware is back and rebuilding its botnet via TrickBot
Alibaba ECS instances actively hijacked by cryptomining malware
High severity BIOS flaws affect numerous Intel processors
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
moses
A new hacker group named Moses Staff has recently claimed responsibility for numerous attacks against Israeli entities, which appear politically motivated as they do not make any ransom payment demands.
The threat actors have repeatedly caused damage to Israeli systems in the past couple of months, infiltrating networks and encrypting files, and then leaking the stolen copies to the public.
As such, the group’s apparent motive is to cause maximum operational disruption and damage to its targets by exposing corporate secrets and other sensitive information via dedicated data leaks sites, Twitter accounts, and Telegram channels.
Researchers at Check Point have published a detailed report today on Moses Staff, looking into the techniques, infection chain, and the toolset used by the actor.
Moses Staff appears to be using publicly available exploits for known vulnerabilities that remain unpatched on public-facing infrastructure.
For example, the hacking group has been targeting vulnerable Microsoft Exchange servers that have been under exploitation for months now, yet many deployments remain unpatched.
After successfully breaching a system, the threat actors will laterally move through the network with the help of PsExec, WMIC, and Powershell, so no custom backdoors are used.
The actors eventually use a custom PyDCrypt malware that utilizes the DiskCryptor, an open-source disk encryption tool available on GitHub, to encrypt devices.
CheckPoint explains that the encrypted files can be restored under certain circumstances, as the encryption scheme uses symmetric key generation when encrypting devices.
PyDCrypt generates unique keys for every hostname based on MD5 hash and crafted salt. If the PyDCrypt copy used in the attack is retrieved and reversed, the hashing function can be derived.
This is possible in many cases where the self-deletion of the ransomware hasn’t worked or was disabled in the configuration.
In general, Moses Staff isn’t putting much effort into this aspect of their operation, as the main thing they aim for is to cause chaos in the targeted Israeli operation and not to ensure that the encrypted drives are irrecoverable.
Although the actor is new by name, it may have links to ‘Pay2Key‘ or ‘BlackShadow,’ who have the same political motivation and targeting scope.
“In September 2021, the hacker group Moses Staff began targeting Israeli organizations, joining a wave of attacks which was started about a year ago by the Pay2Key and BlackShadow attack groups,” the researchers explain in their report.
“Those actors operated mainly for political reasons in attempt to create noise in the media and damage the country’s image, demanding money and conducting lengthy and public negotiations with the victims.”
The group has a vocal presence on social media, a Tor data leak site, and a Telegram channel, all used to publish stolen data in as many channels as possible to maximize damage.
So far, analysts haven’t been able to attribute Moses Staff to any particular geographic location or whether they are a state-sponsored group. 
However, one of the malware samples used in Moses Staff attacks was uploaded to VirusTotal from Palestine a few months before the attacks began.
“Although this is not a strong indication, it might betray the attackers’ origins; sometimes they test the tools in public services like VT to make sure they are stealthy enough,” explains Check Point.
As Moses Staff attacks use old vulnerabilities that have available patches, Check Point advises all Israeli entities to patch their software to help prevent attacks.
Canadian province health care system disrupted by cyberattack
MediaMarkt hit by Hive ransomware, initial $240 million ransom
Second farming cooperative shut down by ransomware this week
BlackShadow hackers breach Israeli hosting firm and extort customers
Hacking gang creates fake firm to hire pentesters for ransomware attacks
Not a member yet? Register Now
FBI system hacked to email ‘urgent’ warning about fake cyberattacks
New Microsoft emergency updates fix Windows Server auth issues
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

Article Categories:
Cybersecurity News

Comments are closed.