doublepulsar.com Open in urlscan Pro
162.159.152.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in


Mastodon

Photo by Nazrin Babashova on Unsplash


CYBER TOUFAN GOES OPRAH MODE, WITH FREE LINUX SYSTEM WIPES OF OVER 100
ORGANISATIONS

Kevin Beaumont

·

Follow

Published in

DoublePulsar

·
10 min read
·
6 days ago

11



Listen

Share

For the past 6 or so weeks, I’ve been tracking Cyber Toufan on Telegram. They
appeared in November, and they’ve been very busy and very naughty boys. They
actually set up their infrastructure around October, and started owning things
apparently undetected.

They’re not a lame DDoS pretend hacktivist group like NoName016 — instead, they
claim to be Palestinian state cyber warriors. (Might they be Iran? Who cares?).
They target orgs with interests in Israel.

They’ve been wiping systems — a lot of them — and dumping stolen data online.

To lay it out, several factors got my attention as this being unusual:

 * They’re not ransomware or DDoS kids.
 * They’ve compromised a lot of orgs.
 * They’ve caused so much damage that many of the orgs — almost a third, in
   fact, haven’t been able to recover. Some of these are still fully offline
   over a month later, and the wiped victims are a mix of private companies and
   Israeli state government entities.
 * I am tracking 59 orgs where they have released data dumps, and a further 40
   or so who got hit in a mass MSP (Managed Service Provider) wipe.
 * Three of the victims are cybersecurity vendors, and I suspect they may have
   access to another larger infosec vendor that they haven’t disclosed.
 * Data they have published includes a complete server disk image, SSL
   certificates with private keys to a host of domains (which still haven’t been
   revoked and are still in use), SQL and CRM dumps. Even Wordpress backups, as
   apparently people build CRMs on Wordpress nowadays (I’m old).


Photo by Towfiqu barbhuiya on Unsplash


THE PRIMARY VICTIMS

> ACE Israel
> Shefa Online
> Israeli National Archive
> Radware
> MAX Security & Intelligence
> Israel Innovation Authority
> Ikea Israel
> Berkshire eSupply
> Keter Group
> ISCAR Ltd
> Homecenter Israel
> Israel Nature and Parks
> The Academic College of Tel Aviv
> Lumenis
> Toyota Israel
> Back2School website of H&O
> Israel Ministry of Health
> SodaStream
> Camel Griding Wheels
> RESERVED
> Seacret
> Carter’s-Oshkosh Israel
> Hagarin
> H&O Fashion
> Osem-Nestle
> Bermad
> ZapGroup Israel
> Novolog Israel
> Semicom
> kravitz
> Biopet
> GS1 Israel
> Audi Dagan Insurance Agency
> Ministry of Welfare and Social Security
> Scope Metals Group Ltd
> SpaceX
> Brother Israel
> Graf
> Dorot
> CURVER
> Techno-Rezef
> Ta-Supply
> NaanDan
> US TOOLGROUP
> Strauss Group
> Zoko Enterprises
> TEFEN Flow and Dosing Technologies Ltd
> Erco
> Teldor
> SuperPharm
> BConnect Technologies
> Allot Ltd
> Palram Industries Ltd
> Israel Securities Authority
> ICL Industrial
> A.R.I.
> Carolina Lemke
> Maytronics Ltd
> Israel State Payment Gateway

Ones in bold are still offline. This does not include lots of smaller orgs who
got wiped, as the list becomes too long to manage.

Example org, CURVER:



You may notice some tasty ones in there — for example, Allot — who sell TLS
(encryption) middleware interception and safety equipment to telcos, ISPs and,
Cyber Toufan allege, nation states via front companies — where the front company
details themselves are listed. If you google Allot TLS, you’ll get the idea.

Cyber Toufan appear to have been careful with targeting — with all of the
victims, there’s a clear link to Israel and their objective. This isn’t a ‘spray
and pray’ situation, and it looks like quite a lot of work has gone into things.

I’ve seen discussion online that the victims are all customers of Signature-IT —
however, from tracking it is not the whole picture. Many are — but many are not.
A lot of them offer online shops. It is very clear that Signature-IT have been
compromised, however, and are very much involved in what happened:



So what’s happening really?

It’s too early to say exactly what happened, but there’s several MSPs in common
involved, and it seems likely there’s some kind of supply chain element —
perhaps with a common DevOps library.

For example, one victim org is Graf on December 16th:



If you try visiting Graf’s website today, 12 days later, you will see the site
is offline but the TLS certificate is via an Israeli company called Joomi:



Cyber Toufan actually posted an animated GIF of themselves inside Joomi’s
Bitbucket account the day before:



Joomi’s Bitbucket repository is not publicly viewable, so clearly Cyber Toufan
got into the chain somehow. Joomi describe themselves as: “Joomi Corporation, a
software company specializing in developing open source systems” and online
searches reveal they are tied into the Magento (online shop) ecosystem. Joomi
are also using *drumroll* Signature-IT for hosting.




WHAT DO THEY DO WHEN THEY GAIN ACCESS?

From looking at victims, Cyber Toufan use Linux, and stay on Linux systems. This
is smart as many orgs have little to no detection on Linux, but have invested in
Windows detection instead.

They do various things, including living off the land. For example, they use the
legit tool shred to delete files in an unrecoverable fashion. They use their own
shell script to run Shred, and configure it so it keeps running if an admin kill
-9’s the process. They shred /.

In terms of artefacts, they drop two scripts — initvm.sh (file hash
5accd9e0c215f9d10119ab8c6378e1a848b9f605955aa785f81c4a79ca0d93c0) and deploy.sh.
There’s 0 AV vendor detection for these scripts, despite them wiping the root
filesystem and evading termination.

Additionally, they may deploy Tor in /var/lib/tor (including just using apt or
yum to install it), and configure the server as a Tor hidden service — this
allows them to retain remote access, as long as outbound traffic is allowed to
Tor. So even if you firewall off all incoming network traffic, if outgoing
traffic is allowed they can still reach back to the server.

They will do light recon on the network for things like backup systems.


WHERE DO THEY DUMP DATA, AND WHAT ELSE DO THEY DO?

They dump data on Telegram. One modern challenge is many of the large hacking
groups nowadays operate in the open on Telegram, in public Telegram groups. I
think people think hackers are in hoodies, hiding everything they do. Not so: in
the space year 2023, people hack with their wangs out, on Telegram.

They also like to email the customers of victims. For example, they email
customers of Signature-IT, Joomi, Radware and Max Security and Intelligence.

Here’s an example email they sent to some customers:



The customer information appears to be lifted from CRM backups (which they also
post online). So if you’re following along, this is about 4 layers into the
compromise. They appear to use the SMTP accounts of the victims to send the
emails, so they’re less likely to get flagged as spam — for example, with one
campaign they used the Sendgrid account of a cybersecurity vendor.

These are not phishing emails — there’s no credential theft or malware — but
they’re lobbying emails. Yes, hacks now lead to *checks notes* war lobbying.
I’ll be honest, I’m not sure what Jennifer from Accounts Payable at a company 4
times removed is going to do about Gaza, but it’s certainly a novel way to raise
awareness.

Additionally, the include everybody in the To: fields of the emails rather than
BCC — this encourages people to Reply To All storm.


WHAT NOW?

Cyber Toufan appear to have stopped for now. They finished with an image of some
data from ecom.gov.il, the Israel State Payment Gateway. It appears Toufan
obtained access around October.





LESSONS TO BE LEARNT

 * Monitor Linux systems, both anti-malware and EDR (endpoint detection and
   response). For example, you should have use cases to detect Tor being
   installed or used — along with shred being executed.
 * Control outbound network connectivity from Linux. For example, your Linux
   boxes shouldn’t be reaching outbound to Tor nodes.
 * Look for abnormally large volumes of network traffic from hosts.
 * Invalidate stolen TLS certificates and move to fresh ones.
 * Risk assess your MSPs. Your MSPs are risky during times of war. They are
   single points of hacking. If your MSP gets compromised, you may find people
   reaching out to you or your customers and you may find yourself without
   backups and service.
 * You may want to manage your own additional backups of the services your MSPs
   provide during heightened risks.
 * There is an incredible lack of knowledge in the cybersecurity industry around
   what happened here, despite it being a fairly big, ongoing incident involving
   over 100 organisations, including multiple areas of the Israeli government —
   hence me writing this blog. That seems odd.

Stay safe.

~g

Update 29th December 2023: I have confirmed the latest email that Cyber Toufan
sent to security and infrastructure people, titled “Warning | The Cost of
Complicity”, sent with from address of intel@max-security.com, was indeed sent
to people in Radware’s customer and sales database, as Cyber Toufan had claimed.
The sending SMTP email server is from Max Security — both security companies had
a breach.

Update 30th December 2023: Cyber Toufan are still active and breaching orgs.
They have emailed the customers of PTS — Production Tool Supply aka
pts-tools.com, a Berkshire Hathaway company, the following message:

> Dear Customers,
> 
> These are the hackers speaking. Yes, the ones responsible for wiping out and
> obtaining all the data of PTS Tools almost two months ago. PTS Tools sent out
> an email about the incident two weeks ago, trying to slither their way out of
> responsibility, and claiming that their systems weren’t truly compromised. We
> thought we’d set the record straight ourselves, and come to you from their
> very own mailing systems.
> 
> PTS Tools claims we only compromised a third-party, and that we don’t have all
> of their clients’ data. That is far from the truth. We have 100s of GBs of
> client data, including all customer details, orders, and shipments ever
> handled by PTS Tools. It is either that PTS Tools knows we have all this data,
> in which case they are unashamedly lying to you, or they are still clueless to
> the scale of the compromise. We will let you decide which is worse.
> 
> Okay, we understand why you wiped out the Israeli National Archive, the State
> Payment Gateway, Ikea Israel, Toyota Israel, the Israeli cyber security firms
> Radware and MAX Security & Intelligence, as well as hundreds of other Israeli
> companies. But why did you choose to wipe out the servers and databases of PTS
> Tools, Berkshire E-Supply, IMC, and ISCAR (and their backups)?
> 
> The answer is quite simple. Every single one of these companies either has a
> large office/HQ in Israel, or has chosen to sign huge financial contracts with
> Israeli entities. Doing business with Israel is complicity in the crimes it is
> currently committing, including the cold blooded murder of over 9,000 of our
> children. 9,000 dead children is equivalent to death toll of three 9/11’s,
> except every dead body is that of a lifeless infant or child.
> 
> Let it be clear: There will be no mercy for the complicit. Any organisation or
> entity that chooses to support those occupying our land and killing our
> children, whether financially, politically, or through any other means, is
> choosing to put themselves in the line of fire. Let this be a warning, and let
> PTS Tools and Berkshire E-Supply (which is still down almost two months later)
> be a lesson for those that wish not to entangle their businesses in the murder
> of our children and the destruction of their companies.
> 
> Indeed, any entity that chooses to continue in their complicity will certainly
> pay the price of complicity in the killing of our children.

PTS themselves had previously emailed customers about a “cyber-attack” in
November:



Update 31st December 2023: Berkshire eSupply have filed a data breach
notification in Maine:



Update 1st January 2024: Berkshire eSupply’s attachment to the Maine Attorney
General in their data breach notification claims:



It goes on to say “Although data stored in our information systems was not
accessed, and even though we were not directly involved in this incident, we
continue to monitor this incident and its effect on our customer community.”

To be clear, Berkshire eSupply’s own customer information, including addresses
and such, was lost in the breach and is still publicly available on Cyber
Toufan’s Telegram channel to this day, in plain text — and the way Berkshire
eSupply are opting to deal with the issue is wordsmith it to the Attorney
General.





SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Access the best member-only stories.

Support independent authors.

Listen to audio narrations.

Read offline.

Join the Partner Program and earn for your writing.


Try for $5/month
Cybersecurity News
Cyber Toufan


11

11



Follow



WRITTEN BY KEVIN BEAUMONT

5.5K Followers
·Editor for

DoublePulsar

Everything here is my personal work and opinions.

Follow




MORE FROM KEVIN BEAUMONT AND DOUBLEPULSAR

Kevin Beaumont

in

DoublePulsar


WHAT IT MEANS — CITRIXBLEED RANSOM GROUP WOES GROW AS OVER 60 CREDIT UNIONS,
HOSPITALS…


HOW CITRIXBLEED HAS BECOME THE CYBERSECURITY CHALLENGE OF 2023.

9 min read·Dec 4, 2023

100

2




Kevin Beaumont

in

DoublePulsar


THE TICKING TIME BOMB OF MICROSOFT EXCHANGE SERVER 2013


WELCOME TO THE NEW ERA OF CYBERSECURITY — WHERE THE BONFIRE OF ORGANISATIONS
RUNNING END OF LIFE SOFTWARE BY RANSOMWARE GROUPS IS STARTING.

6 min read·Dec 22, 2023

5





Kevin Beaumont

in

DoublePulsar


LOCKBIT RANSOMWARE GROUP ASSEMBLE STRIKE TEAM TO BREACH BANKS, LAW FIRMS AND
GOVERNMENTS.


A LOOK INSIDE HOW A RANSOMWARE GROUP HAVE BEEN BREAKING INTO THE WORLD’S BIGGEST
ORGANISATIONS THIS NOVEMBER.

5 min read·Nov 13, 2023

139





Kevin Beaumont

in

DoublePulsar


TRACKING RUSSIA’S NONAME057[16] ATTEMPTS TO DDOS UK PUBLIC SERVICES


A LOOK INSIDE HOW RUSSIAN’S CYBER ARMY ATTEMPTS TO ATTACK SERVICES.

2 min read·Dec 7, 2023

9




See all from Kevin Beaumont
See all from DoublePulsar



RECOMMENDED FROM MEDIUM

Helen Patton




THE END OF CYBERSECURITY IN 2023


WILL 2024 BE A YEAR OF NEW THINGS?


·4 min read·Dec 25, 2023

328

9




Kevin Beaumont

in

DoublePulsar


THE TICKING TIME BOMB OF MICROSOFT EXCHANGE SERVER 2013


WELCOME TO THE NEW ERA OF CYBERSECURITY — WHERE THE BONFIRE OF ORGANISATIONS
RUNNING END OF LIFE SOFTWARE BY RANSOMWARE GROUPS IS STARTING.

6 min read·Dec 22, 2023

5






LISTS


STAFF PICKS

547 stories·598 saves


STORIES TO HELP YOU LEVEL-UP AT WORK

19 stories·396 saves


SELF-IMPROVEMENT 101

20 stories·1146 saves


PRODUCTIVITY 101

20 stories·1047 saves


Erxk

in

ITNEXT


BOOST PRODUCTIVITY WITH GIT WORKTREES


A SHORT & CONCISE GUIDE ON GETTING PRODUCTIVE WITH GIT WORKTREES.

4 min read·Dec 27, 2023

132





MS17-010🛡️


HOW I DISCOVERED AN RCE VULNERABILITY IN TESLA, SECURING A $10,000 BOUNTY


MYSELF: I AM RAGURAMAN , SECURITY RESEARCHER 🛡️ | BUG HUNTER | CTF PLAYER |
SECURED @ TESLA,APPLE,AMAZON,ORACLE & MORE

4 min read·Dec 24, 2023

1.3K

16




Aymen El Amri



in

FAUN — Developer Community 🐾


THE HOTTEST OPEN SOURCE PROJECTS OF 2023


THIS ARTICLE WAS ORIGINALLY POSTED ON FAUN.DEV.


·14 min read·6 days ago

1K

7




Nikita Singh

in

ILLUMINATION


A MAN IN HIS 60S REVEALS SECRETS TO STOP AGING


6 PRINCIPLES KEEPING HIM FOREVER YOUNG


·5 min read·Dec 25, 2023

3.8K

85



See more recommendations

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.