www.sentinelone.com
Open in
urlscan Pro
172.67.74.101
Public Scan
URL:
https://www.sentinelone.com/blog/hacktivism-in-the-israel-hamas-conflict-citizen-data-leaked-using-old-malware/
Submission: On October 30 via api from TR — Scanned from DE
Submission: On October 30 via api from TR — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<span class="light">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" width="18" height="16">
</span>
<span class="dark">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg" alt="Search Icon" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg" alt="Navigation Close Dark" width="18" height="16">
</span>
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1470685979">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2816" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1470714593">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 164px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2816"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Don’t miss OneCon23! SentinelOne’s Customer Conference. Register Now
Don’t miss OneCon23! SentinelOne’s Customer Conference.
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
blog
Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* Singularity XDR Native & Open Protection,
Detection, and Response
* Singularity Data Lake AI-Powered,
Unified Data Lake
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Container, VM, and Server Workload Security
* Singularity Mobile Mobile Threat Defense
* Singularity Cloud Data Security AI-Powered Threat Detection
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity BinaryVault Automatic File Sample Collection
* Singularity Ranger Rogue Asset Discovery
* Singularity Hologram Deception Protection
Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
Services
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
Services Overview
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
Partners
* Our Network
* MSSP Partners Succeed Faster
with SentinelOne
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
Get a Demo
blog
Back
Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* Singularity XDR Native & Open Protection,
Detection, and Response
* Singularity Data Lake AI-Powered,
Unified Data Lake
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Container, VM, and Server Workload Security
* Singularity Mobile Mobile Threat Defense
* Singularity Cloud Data Security AI-Powered Threat Detection
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity BinaryVault Automatic File Sample Collection
* Singularity Ranger Rogue Asset Discovery
* Singularity Hologram Deception Protection
Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
Services
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
Services Overview
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
Partners
* Our Network
* MSSP Partners Succeed Faster
with SentinelOne
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
Get a Demo
* 1-855-868-3733
* Contact
* Cybersecurity Blog
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
HACKTIVISM IN THE ISRAEL-HAMAS CONFLICT | CITIZEN DATA LEAKED USING OLD MALWARE
October 26, 2023
by Jim Walter
PDF
The current conflict between Israel and the Hamas militant group has begun an
onslaught of hacktivist-level activity carried out in the name of both sides.
Amongst the ongoing fighting, numerous hacktivist groups and ‘lone wolves’ have
taken the opportunity to maneuver into the cyber arena, deploying an array of
malicious activities including Distributed-Denial-of-Service (DDoS) attacks,
cyber defacement, doxxing, and custom malware launches.
So far, the use of novel malware/scareware and tools such as Redline Stealer and
PrivateLoader by these threat actors continue to target Israeli citizens,
businesses, and critical sector entities, causing data leaks and widespread
disruptions. This write-up serves as a roundup of tactics and techniques we are
observing in the Middle East, allowing security practitioners to stay informed
and on top of developing threats stemming from the war.
ANALYSIS OF DATA LEAKS & STEALERS
HAGHJHOYAN
Haghjhoyan logo
Haghjhoyan, known also as the “Peace Seekers”, first emerged in October 2023. It
is characterized as a pro-Iran hacktivist group, which has been leaking small
archives of Israeli citizen data through their recently established Telegram
channel. On October 8th, the group announced an infiltration of the Israeli Red
Alert Emergency System. This was followed by the October 13th, 2023 announcement
of the group’s infiltration of multiple critical infrastructure targets across
Israel during which Haghjhoyan shared screenshots of their virtual network
computing (VNC) sessions in a variety of utility-centric targets. ‘Proof’ files
associated with this breach were also shared in the Haghjhoyan Telegram channel.
Attack on Israeli utilities
Between October 15th and October 19, 2023, the group continued to announce new
leaks and attacks, including the claim of infecting “1000” Israeli computers.
The full message shared is as follows: “1000 computers from Israel were
infected. This is a gift from Palestinian children to Israel hac*kers and the
bast*ard people of Israel”.
Attack on the Israeli public
Screenshots shared in the Haghjhoyan Telegram channel show filenames that hold
‘clues’ potentially pointing towards the use of malware. Further, there is
indication of potential social engineering lures used by the group to encourage
the download and execution of trojanized applications.
In the image above, the following file names are of special interest:
* Frosty Mod Manager 1.0.6.0 (Beta 4) (FIFA 19)
* Subinfeudated Oat.exe
* Default-Dark-Mode-1.20-2023.6.0.zip
The ‘Frost Mod’ and ‘Default-Dark-Mode’ file names are references to the games
FIFA and Minecraft respectively. From the data shared by the threat actor, it
appears as though they are using these games as social engineering lures,
manipulating targets through social media platforms like Discord, Whatsapp, and
Telegram into launching trojanized versions of the applications. Targeting users
of extremely popular games like Roblox, Minecraft, and FIFA with possible free
‘mod’ packages is an effective way to target a large portion of the general
public.
We can also glean some information from the leaked data itself. For example, the
stealer log output from the ICS targets contained in the leaked file
“IL-ISRAEL-25PCS-2023.rar” is formatted in such a way that may suggest the use
of Redline Stealer, or similar malware.
Stealer logs from Haghjhoyan target showing similarities with Redline Stealer
This is further solidified if we look at another leaked screenshot from the
threat actors. The following screenshot shows the malware being executed. The
file name on the launched executable also happens to be the SHA1 hash of the
malware. SHA1 hash (0b0123d06d46aa035e8f09f537401ccc1ac442e0) is a public sample
of Redline Stealer originating from 2019 and it is not exclusive to these
attacks and campaigns.
Redline running in leaked screenshot from Haghjhoyan
In a separately-shared screenshot from Haghjhoyan, there are clues pointing to
the use of another malware tool called PrivateLoader.
The “Subinfeudated Oat” malicious application
The “Subinfeudated Oat.exe” in the above image is a sample of PrivateLoader.
Something of a commodity tool, it is often used as a method to download and
launch additional malware payloads. Loaders such as this or Smoke Loader allows
lower-tier actors evade basic detective controls like legacy antivirus (AV).
Through these two examples we can tie the use of PrivateLoader and Redline
Stealer to these anti-Israel malware attacks driven by Haghjhoyan. Current
intelligence indicates that the data being leaked by Haghjhoyan acquired via
Redline is fresh and valid, not having been leaked in the wild prior. It should
also be noted that Haghjhoyan made their Telegram channel private on October
24th, 2023.
SOLDIERS OF SOLOMON
Another malicious hacktivist group going by the moniker, Soldiers of Solomon,
has also made bold claims around the infiltration and infection of critical
infrastructure in Israel. They have also claimed ownership of a customized
ransomware called Crucio. On October 18th, 2023, the Soldiers of Solomon
announced their attack via the resurrected BreachForums.
Announcement of Crucio ransomware attack (BreachForums)
The Soldiers of Solomon also announced this effort via their public Telegram
channel. The full message reads as follows: “The Soldiers of Solomon have taken
full control of more than 50 servers, security cameras and smart city management
system in Nevatim military area. Once we got access to those targets, we
exfiltrated 25TB of data and ransomed them via our customised Crucio ransomware
(Ltd). Database Link: https://www.mediafire.com/folder/5fahf8k…/All+Files”.
The ‘proof’ package, hosted on MediaFire, consists of the same screenshots
provided in their Telegram channel.
Soldiers of Solomon ‘proof’ screenshots
The bulk of these images show a Windows desktop with a document (.jpg image)
displayed with the Soldiers of Solomon’s anti-Israeli messaging.
Soldiers of Solomon “infected” host
From these images, we can see that the filename for the document displayed is
“ref.jpg”.
ref.jpg note
Analysis of the Crucio ransomware deployment is ongoing and full details are not
yet corroborated. That said, we can state that it is not outside the realm of
possibility that these groups would repackage an existing or leaked malware
builder or kit and use that as a payload to get their message out and cause
disruption.
CYB3R DRAG0NZ TEAM
Cyb3r Drag0nz Team logo
Cyb3r Drag0nz Team is a hacktivist team with a history of launching DDoS attacks
and cyber defacements as well as engaging in data leak activity. They are now
taking credit for multiple leaks and DDoS attacks against Israeli targets. This
includes a DDoS attack against the official website of the Israeli Air Force.
Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli
citizens spread across multiple leaks. To date, the group has released multiple
.RAR archives of purported personal information on citizens across Israel.
The Cyb3r Drag0nz Team has been observed taking full advantage of various social
media platforms to announce their targeting and intrusions. They post updates
via Instagram, Twitter, and Telegram as well as FaceBook and Youtube.
Data of 6000 Israeli citizens leaked
Most recently, the group claims to have stolen the data of more than “1 million”
Israeli citizens.
Israel citizen data leaked by Cyb3r Drag0nz Team
This announcement was accompanied with a RAR archive named “Israel Leaked By
Cyb3r Drag0nz Team.rar”. Current analysis of data being leaked by Cyb3r Drag0nz
Team shows a varying level of ‘freshness’. Some of the sample leaked data has
appeared in prior leaks or dumps from other groups while other data appears to
be new.
Files shared by Cyb3r Drag0nz Team
CONCLUSION
The hacktivist groups currently active in the Israel-Hamas conflict are ramping
up in both intent and skill level. Though these groups are still relatively
small, it is clear that they are carrying out successful attacks and putting
ordinary citizens at risk. This class of criminal activity is often viewed as
being of a lower tier, however, ongoing fighting in Gaza has provided a
springboard for these groups to leverage political chaos to further their
malicious cyber goals.
We believe that these groups are of relatively low-sophistication and financial
resources. The malicious actors’ use of tools like Redline and PrivateLoader
speak to their position of having to use what is at their disposal. This is
bolstered by the example of using in-the-wild Redline samples with known hashes,
revealing that the actors are not making the effort to modify or customize the
older malware.
That said, these groups continue to impact ordinary civilians, putting their
identity and data at risk to reach their goals. As the war continues to escalate
across multiple arenas, these small-yet-effective attacks are expected to only
increase.
We recommend the following the best practices that can help strengthen any
existing cybersecurity measures:
* Focus on awareness and practice overly-diligent cyber hygiene. Take any
opportunity to spread information about basic protection. Be vigilant against
unexpected links, practice link validation, and do not engage in any
unauthorized chats across popular social media platforms, particularly on
Discord, Whatsapp, Telegram, and X.
* Some of the malicious tools mentioned in this post are known to be disguised
as mods for popular games. In some cases, we saw FIFA 19, Minecraft, and
Roblox being used as social engineering lures. Be aware of this potential
lure style and think twice before downloading game mod packages, or take
extra precautions when doing so.
* Update all security software and ensure it is properly configured. Use modern
and reputable security solutions and software and look out for patches and
fixes.
* Monitor all endpoints in your controls, whether at home or in an office, for
signs of compromise. Having a robust XDR solution can provide deep visibility
across endpoints in a system as well as automated detection and response
capabilities.
INDICATORS OF COMPROMISE (IOCS)
REDLINE STEALER (SHA1)
0b0123d06d46aa035e8f09f537401ccc1ac442e0
PRIVATELOADER (SHA1)
a25e93b1cf9cf58182241a1a49d16d6c26a354b6
8ade64ade8ee865e1011effebe338aba8a7d931b
--------------------------------------------------------------------------------
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see
the content we post.
READ MORE ABOUT CYBER SECURITY
* Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search
Results
* Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors
* Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins
* Illicit Brand Impersonation | A Threat Hunting Approach
* DBatLoader and Remcos RAT Sweep Eastern Europe
* Venus Ransomware | Zeoticus Spin-off Shows Sophistication Isn’t Necessary for
Success
READ MORE
Get a demo
Defeat every attack, at every stage of the threat lifecycle with SentinelOne
Book a demo and see the world’s most advanced cybersecurity platform in action.
Get Demo
SentinelLabs
SentinelLabs: Threat Intel & Malware Analysis
We are hunters, reversers, exploit developers, & tinkerers shedding light on the
vast world of malware, exploits, APTs, & cybercrime across all platforms.
VISIT SITE
Wizard Spider and Sandworm
MITRE Engenuity ATT&CK Evaluation Results
SentinelOne leads in the latest Evaluation with 100% prevention. Leading
analytic coverage. Leading visibility. Zero detection delays.
SEE RESULTS
LISTEN TO THIS POST
Table of Contents
Analysis of Data Leaks & Stealers
* Analysis of Data Leaks & Stealers
* Conclusion
* Indicators of Compromise (IoCs)
SEARCH
Search ...
SIGN UP
Keep up to date with our weekly digest of articles.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thanks! Keep an eye out for new content!
RECENT POSTS
* The Good, the Bad and the Ugly in Cybersecurity – Week 43
October 27, 2023
* Decrypting SentinelOne’s Detection | An In-depth Look at Our Real-Time CWPP
Static AI Engine
October 25, 2023
* The Realm of Ethical Hacking | Red, Blue & Purple Teaming Explained
October 23, 2023
BLOG CATEGORIES
* Cloud
* Company
* Cyber Response
* Data Platform
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Integrations & Partners
* macOS
* The Good, the Bad and the Ugly
Company
* Our Customers
* Why SentinelOne
* Platform
* About
* Partners
* Support
* Careers
* Legal & Compliance
* Security & Compliance
* Contact Us
* Investor Relations
Resources
* Blog
* Labs
* Hack Chat
* Press
* News
* FAQ
* Resources
* Ransomware Anthology
Global Headquarters
444 Castro Street
Suite 400
Mountain View, CA 94041
+1-855-868-3733
sales@sentinelone.com
Sign Up For Our Newsletter
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thank you! You will now receive our weekly newsletter with all recent blog
posts. See you soon!
English
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
©2023 SentinelOne, All Rights Reserved.
Privacy Policy Master Subscription Agreement
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button Back
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Accept All Cookies
We'd like to show you notifications for the latest news and updates.
AllowCancel