A new politically-motivated hacker group named “Moses Staff” is linked to a wave of attacks targeting Israeli companies since September 2021 with the aim of stealing and leaking sensitive information prior to encrypting their networks.
Check Point Research stated that the group’s motivation in attacking Israeli companies is to cause damage by leaking the stolen sensitive data and encrypting the victim’s networks, with no ransom demand.
The hacker group exploits publicly known vulnerabilities to breach enterprise servers and gain initial access. A custom web shell is then developed to drop additional malware. On gaining access, the intruders take advantage of living-off-the-land (LotL) techniques to laterally move across the network and deploy malware to lock the machines behind encryption barriers via a specially-crafted PyDCrypt malware.
The attacks depend on the open-source library DiskCryptor to perform volume encryption, in addition to infecting the systems with a bootloader that prevents them from starting without the correct encryption key.
The hackers aim to disrupt operations and inflict “irreversible damage” to the victims. At least 16 victims have had their data leaked to date.
The encrypted files could be recovered under certain scenarios as the group uses a symmetric key mechanism to generate the encryption keys.
Moses Staff also operates on Twitter and Telegram to publicize their attacks, with malicious activity reported as recently as November 14.
According to the group’s own website, they have targeted over 257 websites and also stole data and documents amounting to 34 terabytes. The online portal also urges outside parties to join them to expose the crimes of the Zionists in occupied Palestine.
The researchers stated that Moses Staff are still active, pushing provocative messages and videos in their social network accounts. As the vulnerabilities exploited in the group’s attacks are not zero days, all victims can protect themselves by immediately patching all publicly-facing systems.