VERSPRITE CYBERWATCH

---

Cyberwar Between Israel and Palestine

Author Uddip Ranjan, Threat Intelligence Group Analyst

The ongoing conflict between Israel and Palestine has taken a new turn with the emergence of cyberwarfare. Hacktivist groups from both sides are targeting each other's infrastructure, disrupting and defacing websites. Various groups, including Anonymous Sudan, AnonGhost, and Stucx Team, have carried out the attacks. Some of these groups are suspected of having ties to Russia. The attacks have caused temporary disruptions, but no serious or long-term damage has been reported.

Timeline of the Cyberattacks

Image by Julian B

· October 7, 2023: The websites of two relief groups providing aid to Israel and Gaza were disrupted after hackers flooded them with traffic. The Jerusalem-based nonprofit United Hatzalah and Medical Aid for Palestinians (MAP) both reported cyber attacks

· October 9, 2023: Data from Cloudflare, a leading cloud delivery network, shows signs of cyberattacks in the form of DDoS attacks impacting both Israel and Palestine

· October 10, 2023: Hacktivist groups say they are hitting Israeli targets online amid the war in Israel and Gaza, disrupting and defacing websites like the Jerusalem Post. Examples of serious or long-term damage are still thin, but the activism shows how a subset of supporters uses digital tools to bring the war online

· October 11, 2023: Anonymous Sudan, highly suspected of having Russian support, targeted Israeli alert systems, claiming responsibility for disrupting Israel's Tzeva Adom early warning radar system and launching a DDoS attack on the Jerusalem Post news service. Groups with Islamic tendencies gather on the Palestinian side. Furthermore, one of Stucx Team's claims they hacked an Israeli SCADA system's website

· October 12, 2023: Several hacker groups have joined in on the Israel-Hamas conflict escalation that started over the weekend after the Palestinian militant group launched a major attack. In addition to the state-sponsored actors that have likely ramped up their cyber efforts behind the scenes, known hacktivist groups supporting both sides have intensified their cyberattacks

Current Campaigns 

According to the websites of the two relief groups providing aid to Israel and Gaza, they were disrupted in recent days after hackers flooded them with traffic. The Jerusalem-based nonprofit United Hatzalah, which provides emergency medical services, said its website was struck by distributed denial of service (DDoS) attacks that temporarily slowed its ability to receive donations. Medical Aid for Palestinians (MAP), a British charity helping with emergency relief to Gazans, on Thursday, said in a posting on X (formerly Twitter) that its website was under a "cyber-attack."

Amid the ongoing conflict between Israel and Hamas, a new battleground has opened up in cyberspace, with hackers from both sides trying to attack each other's infrastructure. The ongoing physical conflict within the region will likely attract additional hacktivist groups that ideologically, politically, or opportunistically support Israel or Palestine. Data from Cloudflare, a leading cloud delivery network, shows signs of cyberattacks in the form of DDoS attacks impacting both Israel and Palestine.

Hacktivist groups say they are hitting Israeli targets online amid the war in Israel and Gaza, disrupting and defacing websites like the Jerusalem Post. Examples of serious or long-term damage are still thin, but the activism shows how a subset of supporters use digital tools to bring the war online. So far, among other incidents, a set of hackers supporting Hamas, known as AnonGhost, have claimed they disrupted an Israeli emergency alert application, according to their social media channel. Another group, named AnonymousSudan, said on Telegram they were actively targeting Israel's critical infrastructure, although it provided little evidence for its claims.

On 17th of October, A threat actor is targeting Israeli Android users with a spyware-laced version of the 'RedAlert – Rocket Alerts' app, Cloudflare warns. RedAlert – Rocket Alerts is a mobile app that provides real-time alerts about incoming rocket attacks in Israel. It is developed by a team of volunteers and is based on real-time data provided by the Home Front Command (Pikud Haoref). The app is very popular, with over a million downloads on Google Play. On October 13, 2023, a website offering a malware-infected version of the RedAlert - Rocket Alerts application was uncovered by Cloudflare's Cloudforce One Threat Operations Team. The domain of the website hxxps://redalerts[.]me, which was formed on October 12, 2023, differs from the genuine website by just one letter (the letter "s").

The website features two options to download the app for iOS and Android, respectively. When customers select the iOS download, they are taken to the Apple App Store page for the real project, whereas the Android button starts the download of the fake APK file. The RedAlert app's open-source code, which was altered to include the attackers' malicious code, is borrowed by the APK.

While faking to be the official rocket alert program, the malicious RedAlert version simultaneously gathers sensitive user information.

Similarly, Threatsec posted on the Telegram channel last week that both pro-Israeli and pro-Palestinian hacktivists have joined the cyber-fight. Industrial control systems (ICS) seem to be one of their most lucrative targets, and hundreds are exposed.

Some threat actors, such as ThreatSec, have not claimed any allegiance and are boasting about attacking both sides.

"As you might know, we do not like Israel, but… We also don't like war! So, as we have attacked Israel in the past, we now attack the Gaza region, where many of the Hamas fighters are located!" The gang wrote on Telegram, claiming it had shut down nearly every server owned by Alfanet.ps – including Quintiez Alfa General Trading, one of the biggest ISPs (internet service providers) in the Gaza Strip.

ThreatSec is part of the "Five Families" – notorious and highly organized gangs (including GhostSec, Stormous, Blackforums, and SiegedSec) that collaborate on launching big cyberattacks.

Amid the ongoing Israel-Palestine conflict, a notable upsurge of hacktivist collectives has emerged, announcing an unceasing barrage of digital assaults directed at a wide range of targets. Anonymous Sudan, highly suspected of having Russian support, targeted Israeli alert systems, claiming responsibility for disrupting Israel's Tzeva Adom early warning radar system and launching a DDoS attack on the Jerusalem Post news service. Groups with Islamic tendencies gather on the Palestinian side. Furthermore, one of Stucx Team's claims is that they hacked an Israeli SCADA system's website.

Looking at the current trends, we can divide the cybercriminal groups into three distinct groups.

With this many players in cyberwar, we are seeing more of an approaching peak that will show its devastating effects in the coming weeks/months, which we will discuss in the next section.

Future Predictions

The ongoing Palestine-Israel conflict has led to a surge in cyberattacks and hacktivist activity, with both sides attempting to attack each other's infrastructure. Hackers sympathetic to Hamas are working to make the Israel-Gaza conflict the next front of cyber warfare, with hacking groups with links to countries including Iran and Russia launching a series of cyberattacks and online campaigns against Israel over the past week. Lower level cyberattacks are becoming a major feature of the war between Israel and Hamas, and the attacks could increase intensity. The conflict could also attract hacktivist groups that ideologically, politically, or opportunistically support Israel or Palestine. 

The Biden administration has increased cyber support to Israel amid the conflict with Hamas.

As for the future implications of the Palestine-Israeli war happening right now, it is possible that the conflict could have significant implications in terms of cybersecurity and cyberterrorism. The conflict could attract additional hacktivist groups that are either ideologically, politically, or opportunistically supporting either Israel or Palestine. It could also lead to more cyberattacks and online campaigns against Israel, with hackers sympathetic to Hamas working to make the Israel-Gaza conflict the next front of cyber warfare. The attacks could intensify, and lower-level cyberattacks could become a major feature of the war between Israel and Hamas.

The conflict could also have significant effects on civilians and industries. The attacks could disrupt and deface websites, knock them offline, and cause confusion. The attacks might target critical infrastructure, such as energy, defense, and telecommunications organizations, and cause lasting damage. The attacks could impact freedom of the press and cause major communications disruptions. 

The conflict could also impact the cybersecurity industry, with Israeli cybersecurity professionals banding together to provide free cybersecurity services to Israeli companies amid a spike in hacktivist activity sparked by the war in Gaza.

It is important to note that the conflict might provoke state-sponsored cyberattacks and retaliatory actions towards other governments and companies, a serious threat during war and peace. The conflict could lead to a new normal where a cyber war accompanies a physical battle. It is crucial for both sides to take measures to protect their infrastructure and citizens from cyberattacks and to work towards a peaceful resolution to the conflict.

History of the Conflict

The conflict between Israel and Palestine has a long and complicated history. The roots of the conflict can be traced back to the late 19th century when Jews began immigrating to Palestine in large numbers. The Zionist movement, which sought to establish a Jewish homeland in Palestine, gained momentum in the early 20th century. After World War I, the League of Nations granted Britain a mandate to govern Palestine. In 1947, the United Nations voted to partition Palestine into two states, one Jewish and one Arab. The Jews accepted the plan, but the Arabs rejected it, leading to a war between the two sides. Israel declared its independence in 1948, and the Arab-Israeli conflict has continued ever since.

Other Countries Involved

Apart from the hacktivist groups from Israel and Palestine, other countries are also involved in the cyberwar. Reports that hacking groups, including some tied to Russia, are attacking Israeli government and media websites, allying themselves with the Palestinian military group Hamas that launched a series of deadly attacks on Israel. The involvement of other countries in the conflict has made the situation more complex and challenging to resolve.

Conclusion

The cyber war between Israel and Palestine is a new front in the ongoing conflict between the two regions. Hacktivist groups from both sides are targeting each other's infrastructure, disrupting and defacing websites. The attacks have caused temporary disruptions, but no serious or long-term damage has been reported. We anticipate the cyber-conflict to spill over to other countries, potentially affecting both government organizations and private companies, as the conflict develops.

---

FDA New Mandates for Ensuring the Integrity of Medical Devices and Their Implications for Companies

October 5th, 2023

In recent years, the Food and Drug Administration (FDA) has recognized the increasing vulnerability of medical devices to cybersecurity threats. Given the critical nature of these devices in patient care, the FDA has implemented stringent mandates to ensure the security and integrity of medical devices. These mandates are outlined in the FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Guidance for Industry and Food and Drug Administration Staff," issued on September 27, 2023.

Here is a brief summary of the critical components of these mandates for 2023:  

1. Risk Assessment: Medical device vendors must conduct thorough risk assessments to identify potential cybersecurity vulnerabilities. This involves evaluating the device's software, hardware, and communication interfaces.  

2. Security Controls: Implementing robust security controls to safeguard against unauthorized access, data breaches, and other cyber threats. This may include encryption, access controls, and regular security updates.  

3. Patch Management: Establishing a timely and effective patch management process to address known vulnerabilities promptly. Vendors must have a mechanism for deploying security patches to their devices.  

4. Incident Response: Develop an incident response plan to promptly manage and report cybersecurity incidents. This includes notifying affected parties and the FDA when necessary.  

5. Post-Market Surveillance: Continuously monitoring and assessing the security of devices in the field to identify and mitigate new vulnerabilities that may arise over time.  

6. Collaboration: Encouraging collaboration between manufacturers, healthcare providers, and cybersecurity experts to stay abreast of emerging threats and best practices.  

Along with introducing much-needed security measures requirements to the vulnerable field, the mandates add complexity to medical device development, implementation, and usage. How do companies leverage quality, security, and compliance while handling extensive networks and environments, multiple vendors, and manufacturing, development, and deployment processes? 

VerSprite has been a leader in offering its clients a comprehensive approach to security and compliance through the PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology. PASTA's secret sauce is adaptability, unlike static frameworks such as STRIDE. The threat modeling method allows companies to scale and adjust to not only changing regulations but to the ever-evolving threat landscape.  

PASTA directs the products' security posture and assures that controls that do not mitigate the threats are not deployed. The threat modeling methodology creates and builds on threat libraries that relate to the particular environment and use cases. This builds security into a medical device at a level that cannot be achieved without understanding the threats.  

PASTA can guide the development team through the SPDF (a Secure Product Development Framework), which the FDA recommends for vulnerability and risk management validation. PASTA can be embedded into the phases throughout the cycle: 

  - Design: Risk Analysis; 

  - Development: Risk Evaluation; 

  - Release: Risk Analysis; 

  - Support: Risk Analysis and Control; 

Here is an example of mapping the ISO 14791 to PASTA threat model that VerSprite did for one of our clients. It demonstrates in detail PASTA's holistic approach and guidance throughout the process. 

---

Johnson Controls Ransomware Attack Highlights the Urgency of Business Resilience

October 4th, 2023

Author: Marian Reed, Vice President, GRC

The recent ransomware attack on Johnson Controls, a major supplier of building security and automation solutions, has sent shockwaves through the cybersecurity community, exposing the US Department of Homeland Security as one of the victims of the attacks. This incident serves as a reminder businesses need to be prepared for cyberattacks, not only from a technical perspective but also from a strategic and operational standpoint.

The Impact on Critical Infrastructure

The article reports that the ransomware attack on Johnson Controls has raised concerns about potential vulnerabilities in the nation's critical infrastructure. As Johnson Controls provides security and automation solutions to various government facilities, the attack could potentially impact the DHS and its ability to safeguard critical infrastructure.

Preparation Is Key

The Johnson Controls incident underscores the critical need for businesses to prepare for cyberattacks proactively. Ransomware attacks can disrupt operations, lead to data theft, and have far-reaching financial and reputational consequences. To effectively mitigate these risks, organizations must have a clear plan in place.

Handling Ransomware Attacks

When it comes to handling ransomware attacks, several key decisions must be made ahead of time:

1. To Pay or Not to Pay: While experts generally advise against paying ransoms, there may be instances where it becomes a necessary evil to recover critical data swiftly. However, this decision should be part of a pre-established strategy, carefully weighed against the potential consequences and legal implications.

2. Engaging Law Enforcement: Contacting law enforcement agencies, such as the FBI, is crucial in the event of a ransomware attack. They can provide valuable guidance and investigate the incident. Designating specific personnel or teams to liaise with law enforcement ensures a more efficient response.

3. Defining Responsibilities: Assigning clear roles and responsibilities within the organization is essential. Establish an incident response team with individuals well-versed in IT security, legal matters, and public relations. Designate who will communicate with affected parties, manage public relations, and handle legal aspects of the incident.

Business Resilience Best Practices

To enhance business resilience against cyberattacks, consider the following best practices:

• Regular Risk Assessments: Conduct periodic risk assessments to identify vulnerabilities and emerging threats. Stay informed about the evolving cybersecurity landscape and adapt your strategy accordingly.
• Employee Awareness Training: Invest in cybersecurity training for all employees to reduce the risk of human error, serving as an entry point for cyberattacks.
• Data Backup and Recovery: Implement robust data backup and recovery procedures. Make sure the recovery process to ensure its effectiveness.
• Incident Response Plan: Develop a comprehensive incident response (IR) plan outlining the steps to take during a cyberattack. Periodically review and update this plan.
• Partnership with Third-Party Risk Management: Consider partnering with cybersecurity experts and incident response firms. Their expertise can be invaluable in managing and mitigating cyber threats effectively.

While no organization is immune to cyber threats, proactive preparation, and a strategic approach to handling ransomware attacks can help minimize the impact and ensure a swift recovery. It is imperative that businesses not only focus on technical defenses but also establish clear protocols for decision-making and coordination during cyber incidents. Building business resilience is not an option; it is a necessity in today's digital landscape.

---

Severe Security Flaw Alert: JWT Secret Poisoning (CVE-2022-23529)

January 17, 2023

Author:  Daniel Stiegman

CVE-2022-23529, is a vulnerability rated as high severity (CVSS 7.6).

This vulnerability has insecure input validation in jwt.verify function, that allows untrusted entities to modify the key retrieval parameter of the jwt.verify on a host that a user controls.

Json Web Tokens(JWT) is an open-source JavaScript package, developed and maintained by Auth0 (Okta). It allows for verification and authentication on protected sources, securely transmitting information as a JSON object.

JWT (pronounced “jot”) is an open standard that defines a method of transferring information securely by encoding and signing JSON data: Header.Payload.Signature. It helps store information that is useful for the authentication process for users.

What is JWT:

• JWT Header: Indicates the type of the token and the signing algorithm.
• JWT Payload: Indicates information about the User (ex; username and admin: true)
• JWT Signature: Signed using a secret key to ensure the token is authentic.
• When a user attempts to login to a protected asset, via credentials, it is sent to an authentication server, where it will validate and sign with a secret key.
• That signed JWT is stored on the server or with a secret manager.
• Following that step, a user’s request will possess that JWT, allowing access if the permissions exist.
• When the user is attempting to access a protected source, it will contain a newly generated JWT from a JWT authentication server.
• Before the user is given access, the JWT is then verified with a secret key.

Assessment:

In theory, Threat Actors can utilize this kind of flaw for Remote Code Execution, by bypassing authentication and authorization mechanisms. Within the JWT package is the method called verify, which receives the parameters token, secretOrPublicKey, and options.  If there are no allowed algorithms given in options algorithms list, the secretOrPublicKey will deliver the values contained in the Privacy Enhanced Email(PEM) file, in its place. The vulnerability exists because the PEM file’s secretOrPublicKey is valid content. The toString method within this object will be used, unverified. Threat Actors can supply their own malicious toString method in its place. The malicious code can then be executed and exit the node process before “.includes (‘BEGIN CERTIFICATE’)” check contained in the verify function is conducted. This allows for an arbitrary write file on the host machine.

If the secrets are stored in a Secret Manager instead of the authenticating server, the Threat Actor that has write access to the manager could execute code on the authentication server. Yet, this can only be done if there is no check that the malicious object is valid. If there is a check, then remote code execution is not achievable. Because output of the Secret Manager is dynamic and uncertain, the Threat Actor will have a difficult time. For this exploit to work, the Threat Actor will have access to and control secretOrPublicKey value and not store secret keys securely, within the Secret Management Process. Many researchers state that this exploit is a hypothetical case, as the Secret Manager would have to be part of the same context(app) with a non-serialized secret, with the Secret Manager also containing a vulnerability that allows users to define a function.

The reported fix for this vulnerability is suggested to update from Version 8.5.1 to 9.0.0.

Contact us today to learn how you can better protect your organization.

---

December 13, 2022

Author:  Daniel Stiegman

VerSprite CyberWatch: Threat Intelligence Analyst reacts to the recent FBI and CISA joint advisory on Cuba Ransomware:

The increase of enterprise-focused ransomware activities into 2020, has proved successful for Threat Actors (TA).  “MAN1” aka “Moskalvzapoe” aka “TA511” has been the threat actor utilizing “Hancitor” as major e-crime groups have shifted away from normal banking trojan operations and moved towards ransom and data theft. This TA’s activity has been active in the last year, doubling its victims, and has had a steady increase in its paying victims over that time. main target industries have been Finance, Government, Healthcare, Critical Infrastructure, and IT, while the earlier targets were aviation, financial, education, and manufacturing industries. The TA has acquired over $60 million in ransomware payments over this period.

The campaign utilizes a Cuba Ransomware in their attacks, which is not an indicator of a relationship with the Nation/State of Cuba. The group deploys the ransomware by using a distribution tool of “Hancitor” (information stealer and malware downloader) that was typically distributed via spam campaigns. Such emails are disguised to look like DocuSign notifications. This campaign has used “ZeroLogon” as their exploit tool and leveraged a “dropper that writes a kernel driver to the file system called ApcHelper.sys. This targets and terminates security products.” In the last 2 years, ransomware groups have found a benefit to evolve their attacks into “double extortion” (2nd Generation ransomware attacks) where the TA will encrypt the data, request a ransom, and threaten to post the stolen data if the target does not pay. Around May 2022, the TA began posting the data on Industrial Spy’s online marketplace for sale.

The TA’s TTPs include “copying legitimate HTML code of public-facing webpages, modifying the code, and then incorporating it in a spoofed domain.” Their ransom notes state that the do through research on the target’s “whole corporate network”, encrypted the data, and give the target 3 days to pay, before making the information public. Their notes claim they are very professional, will operate in agreed terms of recovery, confidentiality and would supply evidence of the gained information.  TAs provides contact information and infrastructure for the victims to provide payment and continuous correspondence through a form of a PACE (Primary, Alternate, Contingency, Emergency) plan contact methodology.

Link to the advisory https://www.cisa.gov/uscert/ncas/current-activity/2022/12/01/stopransomware-cuba-ransomware

Contact us today to learn how you can better protect your organization.

---