A newly introduced threat group called Moses Staff has recently claimed responsibility for attacking several Israel-based organisations with ransomless encryption. Researchers believed that the attack of these hackers are purely political since they are not asking for any ransom but instead cause chaos on Israeli systems.
The hacking group has recently damaged the Israeli operations by infiltrating their networks and encrypting their files, eventually leaking the stolen copies to the general population. Moreover, it became clear that the hacking group’s pure motive was to cause operational disruption and damage to its Israeli victims by revealing secrets and sensitive information through data leaks websites, social media platforms, and Telegram channels.
Researchers studied Moses Staff hackers’ actions.
Earlier this week, a group of researchers has released a report on how the Moses Staff operates, infects, and utilises toolset to attack their targets.
One of the practical techniques used by them is the usage of targeted vulnerable MS Exchange servers that have remained unpatched for months. After breaching a system, they will move across the network using Powershell, PsExec, and WMIC. These cross-platform task automation solutions enable hackers to breach a system without using custom backdoors. However, Moses Staff utilises a custom PyDCrypt malware that uses DiskCryptor to encrypt devices.
A researcher explained that the victims could retrieve the encrypted files conducted by the threat group under specific situations. These encryption schemes use symmetric key generation when encrypting target devices. The PyDCrypt creates a unique key for every hacked device on MD5 hash. Cybersecurity can rescue the hashing method if the PyDCrypt copy utilised in the encryption is recovered and reversed.
Therefore, the Moses Staff group shows no sign of an extended and more complicated operation. Their main plan is to put pressure and chaos throughout the Israeli organisations’ operations and ensure that the encrypted files are hard to recover.
Analysts claim that the threat group may have links to BlackShadow or Pay2Key ransomware groups. They made these assumptions since their target and motivation aligns with each other. Also, they are highly active on social media sites, Telegram channels, and data leak sites. By being involved in these platforms, they can publish their stolen info at any given time.
As for now, analysts still cannot pinpoint the exact location of Moses Staff and identify who are the ones sponsoring them. And since the Moses Staff infiltrates systems using old vulnerabilities with available patches, Israeli organisations are urged to update their software to prevent attacks.
