A brand new politically-motivated hacker group named “Moses Workers” has been linked to a wave of focused assaults concentrating on Israeli organizations since September 2021 with the purpose of plundering and leaking delicate data previous to encrypting their networks, with no choice to regain entry or negotiate a ransom.
“The group brazenly states that their motivation in attacking Israeli firms is to trigger injury by leaking the stolen delicate knowledge and encrypting the sufferer’s networks, with no ransom demand,” Test Level Analysis stated in a report printed Monday. “Within the language of the attackers, their function is to ‘Combat towards the resistance and expose the crimes of the Zionists within the occupied territories.'”
A minimum of 16 victims have had their knowledge leaked so far, in response to stats launched by the collective.
The risk actor is claimed to leverage publicly identified vulnerabilities as a way to breach enterprise servers and acquire preliminary entry, following it up with the deployment of a customized net shell that is used to drop extra malware. As soon as inside, the intruders benefit from living-off-the-land (LotL) methods to laterally transfer throughout the community and deploy malware to lock the machines behind encryption obstacles by way of a specially-crafted PyDCrypt malware.
The assaults particularly depend on the open-source library DiskCryptor to carry out quantity encryption, along with infecting the techniques with a bootloader that stops them from beginning with out the proper encryption key. The purpose, the researchers stated, is to disrupt operations and inflict “irreversible injury” to the victims.
That stated, the encrypted recordsdata could be recovered below sure eventualities because the group makes use of a symmetric key mechanism to generate the encryption keys. Test Level didn’t attribute the adversary to any particular nation, citing lack of definitive proof, however famous that some artifacts of the group’s toolset had been submitted to VirusTotal from Palestine months previous to the primary assault.
Moses Workers additionally operates on Twitter and Telegram to publicize their assaults, with malicious exercise reported as lately as November 14. The group’s personal web site claims it has focused over 257 web sites in addition to stolen knowledge and paperwork amounting to 34 terabytes. What’s extra, the net portal urges exterior events to hitch arms with them in “exposing the crimes of the Zionists in occupied Palestine.”
“Moses Workers are nonetheless energetic, pushing provocative messages and movies of their social community accounts,” the researchers stated. “The vulnerabilities exploited within the group’s assaults will not be zero days, and due to this fact all potential victims can defend themselves by instantly patching all publicly-facing techniques.”