Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
New Wiper Targets Israeli Servers
As expected, the conflict in the Middle East continues to spill over into cyberspace, with a likely pro-Hamas hacktivist group now distributing malware which targets Linux systems in Israel.
Security Joes Incident Response Team, who volunteered to perform incident response forensics for Israeli companies, have discovered a new wiper targeting Linux systems in Israel. Dubbed BiBi-Linux because the string "Bibi" (a nickname referring to Israeli PM Netanyahu) is hardcoded in both the binary and the renamed files it overwrites, the program superficially looks like ransomware but makes no attempt to exfiltrate data to a C2 server, does not leave a ransom note, and does not use a reversible encryption algorithm. Instead, it simply overwrites every files with random data, renaming it with a random name and an extension that starts with "Bibi".
The software is designed for maximum efficiency, written in C/C++ and compiled to a 64-bit ELF executable, and it makes use of multithreading to overwrite as many files as quickly as possible. It is also very chatty, continuously printing details of its progress to the console, so the attackers simply invoke it at the command line using the nohup command to intercept SIGHUP signals and redirect its output to /dev/null, allowing them to detach the console and leave it running in the background.
Command-line arguments allow it to target specific folders, but it defaults to starting in the root directory, and if executed with root privileges, it would delete the entire system, with exception of a few filetypes it will skip, such as .out and .so, which it relies upon for its own execution (the binary is itself named bibi-linux.out).
Interestingly, this particular binary is recognized by only a few detectors on VirusTotal, and does not seem to have previously been analyzed.
The use of wipers is not uncommon in nation-state conflicts - NotPetya, for example, was not reversible even though it pretended to be - and Russia has continued to deploy many wipers against Ukrainian targets.
Given the use of "Bibi" in naming, and the targeting of Israeli companies, this malware was likely produced by a Hamas-affiliated hacktivist group. They would not be the only one; Sekoia last week detailed the operations of AridViper (also known as APT C-23, MoleRATs, Gaza Cyber Gang and Desert Falcon), another threat actor believed to be associated with Hamas.
Arid Viper seems to have been active since at least 2012, with first reporting on their activities in 2015 by Trend Micro, and they have been observed delivering data-exfiltration malware for Windows, iOS and Android via malmails to targets in Israel and the Middle East. Since 2020, Arid Viper has been using the PyMICROPSIA trojan and Arid Gopher backdoor, although earlier this month ESET reported the discovery of a new Rust-based backdoor called Rusty Viper, which suggests they are continuing to sharpen their tools.
Sekoia has done a deep dive on Arid Viper's C2 infrastructure as well as the victimology of their targets, who extend across both the Israeli and Arab worlds.
Security Joes, BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group, blog post, 30 October 2023. Available online at https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group.
Sekoia Threat & Detection Research Team, AridViper, an intrusion set allegedly associated with Hamas, blog post, 26 October 2023. Available online at https://blog.sekoia.io/aridviper-an-intrusion-set-allegedly-associated-with-hamas/.
Upcoming Courses
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
- SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
- SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
- SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.