Israel's education sector and IT companies may lose their confidential data forever.
Israel's higher education and technology sector has seen a series of devastating cyberattacks since January 2023, using previously unknown malware to delete data. According to a report by Palo Alto Networks Unit 42, the attacks, most recently in October, were aimed at stealing sensitive data, including personal information and intellectual property.
The Iranian group Agonizing Serpens used various vipers to remove traces and disable infected endpoints. The malware includes three new vipers: MultiLayer, PartialWasher, and BFG Agonizer, as well as a special Sqlextractor tool for extracting information from database servers and collecting confidential information such as identification numbers, passport scans, email addresses, and places of residence. Here are descriptions of the tools that the group uses:
The Agonizing Serpens group (Agrius, BlackShadow and Pink Sandstorm) has been active since December 2020 and is linked to attacks on Israeli targets. In May, Check Point detailed the Agrius group's use of the Moneybird ransomware program in its attacks on the country.
In recent attacks, cybercriminals have used vulnerable web servers for initial access, deploying web shells, scouting victims networks, and stealing user credentials with administrative privileges. This is followed by Lateral Movement and data exfiltration using various tools, including Sqlextractor, WinSCP, and PuTTY, and eventually malware delivery.
Given recent developments, Unit 42 researchers believe that the Agonizing Serpens group has significantly improved its capabilities and is making significant efforts to circumvent intrusion detection and other security measures, including through the use of various well-known tools and custom solutions.
Israel's higher education and technology sector has seen a series of devastating cyberattacks since January 2023, using previously unknown malware to delete data. According to a report by Palo Alto Networks Unit 42, the attacks, most recently in October, were aimed at stealing sensitive data, including personal information and intellectual property.
The Iranian group Agonizing Serpens used various vipers to remove traces and disable infected endpoints. The malware includes three new vipers: MultiLayer, PartialWasher, and BFG Agonizer, as well as a special Sqlextractor tool for extracting information from database servers and collecting confidential information such as identification numbers, passport scans, email addresses, and places of residence. Here are descriptions of the tools that the group uses:
- Multiplayer is a malicious program based on .NET, which lists files to delete or damage them with random data to resist recovery attempts and render the system unusable by clearing the boot sector.
- PartialWasher is a C++ - based malware designed to scan disks and clean up specified folders.
- BFG Agonizer is malware that relies heavily on the open source ransomware program CRYLINE-v5.0.
The Agonizing Serpens group (Agrius, BlackShadow and Pink Sandstorm) has been active since December 2020 and is linked to attacks on Israeli targets. In May, Check Point detailed the Agrius group's use of the Moneybird ransomware program in its attacks on the country.
In recent attacks, cybercriminals have used vulnerable web servers for initial access, deploying web shells, scouting victims networks, and stealing user credentials with administrative privileges. This is followed by Lateral Movement and data exfiltration using various tools, including Sqlextractor, WinSCP, and PuTTY, and eventually malware delivery.
Given recent developments, Unit 42 researchers believe that the Agonizing Serpens group has significantly improved its capabilities and is making significant efforts to circumvent intrusion detection and other security measures, including through the use of various well-known tools and custom solutions.
