Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 09-Oct-2024 06:04:14 JST Kevin Beaumont

   Handala's latest is a dump allegedly of Ron Prosor's emails, who they originally mentioned 8 days ago.

   50k emails, again looks like a personal email account. #threatintel #handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 26-May-2024 18:45:42 JST Kevin Beaumont

     Some ‘free Palestine’ hacktivist style group called Handala have been defacing websites and claim to exfiltrate data. https://handala.to/ #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 19-Sep-2024 18:21:59 JST Kevin Beaumont

     in reply to

     Handala, a wiper group posing as a ransomware group who target Israeli companies, claims IIB (Israeli Industrial Batteries) supplied explosive batteries for pagers and Vidisco supplied Xray machines which didn’t detect said batteries.

     They claim they will be releasing 6tb of data for IIB and 8tb of data for Vidisco. I tried phoning one of the companies, who said they have an IT issue.

     #threatintel #handala

   • Embed this notice
     uzayran (uzayran@cyberplace.social)'s status on Thursday, 19-Sep-2024 19:08:28 JST uzayran

     in reply to

     @GossiTheDog If this is true that means we have backdoors in the X-Ray machines in 86% of all air- and seaports? And Israel risked exposing that for a local terror attack? That is insane.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 19-Sep-2024 22:34:36 JST Kevin Beaumont

     in reply to

     Wrote up the Handala Hack Team thing while on lunch as it was too nuts not to. https://doublepulsar.com/hacker-group-handala-hack-team-claim-battery-explosions-linked-to-israeli-battery-company-5bea086280cd

   • Embed this notice
     ISO8601 (iso8601@cyberplace.social)'s status on Thursday, 19-Sep-2024 22:44:24 JST ISO8601

     in reply to

     @GossiTheDog Ehm.... the Vidisco thing could potentially be a Big Problem, for <reasons>

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 19-Sep-2024 22:46:33 JST Kevin Beaumont

     in reply to

     Handala Hack Team have started posting files on Telegram. They were kicked off Telegram multiple times prior, they're back on a different username.

   • Embed this notice
     Marcus Hutchins :verified: (malwaretech@infosec.exchange)'s status on Friday, 20-Sep-2024 07:12:08 JST Marcus Hutchins :verified:

     in reply to

     @GossiTheDog Have you or anyone looked at the data yet? I'm interested to hear more

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 20-Sep-2024 18:02:27 JST Kevin Beaumont

     in reply to

     Handala have released what they claim is source code showing a backdoor in Vidisco scanners, which are used by ports and airports to scan cargo.

     Post contains reference to Hodhod drones, which is an Iranian UAV.

   • Embed this notice
     Eleanor Saitta (dymaxion@infosec.exchange)'s status on Saturday, 21-Sep-2024 02:46:57 JST Eleanor Saitta

     in reply to

     @GossiTheDog
     Post the link?

   • Embed this notice
     Eleanor Saitta (dymaxion@infosec.exchange)'s status on Saturday, 21-Sep-2024 02:52:43 JST Eleanor Saitta

     @GossiTheDog
     The xcode project

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 21-Sep-2024 03:15:30 JST Kevin Beaumont

     in reply to

     The Latest on the Handala Hack Team situation with Vidisco and Israeli Industrial Batteries (IIB) breach claims is the file sharing site hosting the downloads say they have received DMCA complaints.

     So far only outlets in Italy and Iran have picked up the story, and have done so fairly responsibly, i.e. not saying the claims are true.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 24-Sep-2024 03:43:53 JST Kevin Beaumont

     in reply to

     I have just published a big update on the Handala situation regarding Vidisco at the bottom of my original post.

     tl;dr: They are owned.

     https://doublepulsar.com/hacker-group-handala-hack-team-claim-battery-explosions-linked-to-israeli-battery-company-5bea086280cd

     #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 24-Sep-2024 03:49:11 JST Kevin Beaumont

     in reply to

     Expect to read 0 about this from your threat intelligence providers btw, there's a cone of silence around this one.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 24-Sep-2024 04:26:25 JST Kevin Beaumont

     in reply to

     Handala are currently up on https://t.me/Handala_backup on Telegram.

     Comes complete with a 1 minute data dump announcement video with reasonable production quality.

     There's a lot of time and effort gone into the group's recent efforts, it's a little bit better than NoName and the like.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 24-Sep-2024 20:59:15 JST Kevin Beaumont

     in reply to

     Handala are now going after Israeli politician Gabi Ashkenazi.

     I think what they’re doing is compromising personal cloud accounts. #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 25-Sep-2024 00:05:29 JST Kevin Beaumont

     in reply to

     The journalist looking at Handala Hack Team has been told to stop looking at it.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 25-Sep-2024 01:50:31 JST Kevin Beaumont

     in reply to

     Handala say they plan to post 2k photos from Benny Gantz’ phone in response to rocket attacks. I think my theory they’re targeting Israel’s political’s cloud accounts is looking more likely. #threatintel

   • Embed this notice
     dm (_dm@infosec.exchange)'s status on Wednesday, 25-Sep-2024 03:58:39 JST dm

     in reply to

     @GossiTheDog I don't mean to be dumb, but how would an X-ray scanner backdoor work? Like, how would an object being scanned trigger the backdoor?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 26-Sep-2024 02:54:31 JST Kevin Beaumont

     in reply to

     Handala appear to have gained access to former Israeli PM Ehud Barak’s personal phone, publishing a series of messages alleging various things and lots of photos and identity documents #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 26-Sep-2024 03:10:07 JST Kevin Beaumont

     in reply to

     If you’re reading this thread and thinking ‘why isn’t this mentioned anywhere outside of Gossi The Dog’s toots?’ - that’s a good question. #threatintel

   • Embed this notice
     VessOnSecurity (bontchev@infosec.exchange)'s status on Thursday, 26-Sep-2024 03:48:05 JST VessOnSecurity

     in reply to

     @GossiTheDog This from Telegram again? How many times have they been kicked out of there?

   • Embed this notice
     drunkenjohn (drunkenjohn@cyberplace.social)'s status on Thursday, 26-Sep-2024 03:58:14 JST drunkenjohn

     in reply to

     @GossiTheDog Opsec includes not leaving out glaring omissions from your coverage. Focusing only on when Russia or China does bad tells....a story.

   • Embed this notice
     Guelfo Alexander Ghibellini (guelfoalexander@cyberplace.social)'s status on Thursday, 26-Sep-2024 04:51:00 JST Guelfo Alexander Ghibellini

     • VessOnSecurity

     @GossiTheDog @bontchev shouldn't it be possible to report that Telegram group? how come they get again on? I mean, their actions may be full of good intentions, but Telegram's TOS do not allow such sort of public groups/channels

   • Embed this notice
     Guelfo Alexander Ghibellini (guelfoalexander@cyberplace.social)'s status on Thursday, 26-Sep-2024 04:56:21 JST Guelfo Alexander Ghibellini

     • VessOnSecurity

     @GossiTheDog @bontchev should have been improved since some days due to the "french kiss" 😅, Pavel tells there are special groups of moderators on particular arguments, TOS have been improved, and most important, now they do disclose data to law enforcement. https://t.me/durov/345

   • Embed this notice
     Guelfo Alexander Ghibellini (guelfoalexander@cyberplace.social)'s status on Thursday, 26-Sep-2024 05:34:16 JST Guelfo Alexander Ghibellini

     • VessOnSecurity

     @GossiTheDog @bontchev well, hes tecnically still under arrest, he cant leave Fr so hes just enjoying the stay LOL, but give him time, hell fix everything

   • Embed this notice
     CryptoLek (cryptolek@infosec.exchange)'s status on Thursday, 26-Sep-2024 20:06:27 JST CryptoLek

     in reply to

     @GossiTheDog Handala just dumped 60K emails allegedly from Gabriel Ashkenazi's gmail account. It comes in 2 archived parts

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 28-Sep-2024 20:06:02 JST Kevin Beaumont

     in reply to

     Handala Hack Team are very annoyed #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 29-Sep-2024 07:16:24 JST Kevin Beaumont

     in reply to

     Handela allege they are doing a hack and leak of Soreq Nuclear Research Center in Israel. So far their leak claims have been true.. although the document leaks haven’t resembled all of their claims about the contents to the best of my knowledge.

     They also claim journalists in Israel have been told not to cover Handela, which I believe has foundation.

     #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 29-Sep-2024 07:18:46 JST Kevin Beaumont

     in reply to

     The entire cyber industry coverage of a clear Iranian cyber group doing actual cyber activity during a war: #threatintel #handela

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 29-Sep-2024 07:28:23 JST Kevin Beaumont

     in reply to

     They’ve also done a dump of emails belonging to Gabi Ashkenazi. #threatintel #handela

   • Embed this notice
     bt444 (bt444@mstdn.social)'s status on Sunday, 29-Sep-2024 07:29:01 JST bt444

     in reply to

     @GossiTheDog Iran did it. source: trust me bro

   • Embed this notice
     Ravi Nayyar (ravirockks@infosec.exchange)'s status on Sunday, 29-Sep-2024 07:30:03 JST Ravi Nayyar

     in reply to

     @GossiTheDog Putting our cyber colleagues aside, why aren’t the cyber journos at specialist/mainstream outlets covering Handala?

   • Embed this notice
     Alex (alex02@cyberplace.social)'s status on Sunday, 29-Sep-2024 10:57:21 JST Alex

     in reply to

     @GossiTheDog I've been busy with other projects and school...

   • Embed this notice
     Paul Shread (pshread@masto.ai)'s status on Tuesday, 01-Oct-2024 04:29:49 JST Paul Shread

     in reply to

     @GossiTheDog Any confirmation on the Vidisco backdoor claims?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 01-Oct-2024 16:33:51 JST Kevin Beaumont

     in reply to

     Handala Hack Team appear to be doing a hack and leak of Ron Prosor (Israel’s ambassador in Germany) next #threatintel #handela

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 02-Oct-2024 07:14:26 JST Kevin Beaumont

     in reply to

     • NetBlocks

     Handela claim to have taken Bezeq offline. Fact check with @netblocks

     #threatintel #handela

   • Embed this notice
     Isik Mater :BlobHajMlem: (isik5@mastodon.social)'s status on Wednesday, 02-Oct-2024 07:43:21 JST Isik Mater :BlobHajMlem:

     in reply to

     • NetBlocks

     @GossiTheDog @netblocks There are indications of very slight impact to Bezeq but, assuming this is Handala, it hasn’t knocked out the network to the extent of previous attacks.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 02-Oct-2024 07:46:18 JST Kevin Beaumont

     in reply to

     Assuming Handala mean network connectivity, their claims do not check out. I guess it is possible they mean something else, eg system wiping. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 02-Oct-2024 18:41:19 JST Kevin Beaumont

     in reply to

     Today Handala have a dump of 110k emails from/to former Israel PM. Emails are again collected from a personal email account. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 02-Oct-2024 18:45:48 JST Kevin Beaumont

     in reply to

     Israel PM office has acknowledged they are dealing with an incident at Soreq referenced above, but no safety impact. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 03-Oct-2024 06:21:58 JST Kevin Beaumont

     in reply to

     Handala are saying they’ve sent 1 million messages, whatever that means. Anybody in Israel got any strange texts? #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 03-Oct-2024 06:29:13 JST Kevin Beaumont

     in reply to

     Crap web defacement of Haderi Haredim sites #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 04-Oct-2024 00:24:31 JST Kevin Beaumont

     in reply to

     Handala have posted an Iranian propaganda video, with “Great News For Shin Bet On The Way” #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 04-Oct-2024 04:32:31 JST Kevin Beaumont

     in reply to

     Handala claims to have performed a supply chain attack on Shin Bet, the Israel Security Agency, they say allowing them to install software on managed mobile phones.

     The photos provided appear to show access to some kind of Mobile Device Management platform. They also provided a data dump.

     #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 04-Oct-2024 04:55:53 JST Kevin Beaumont

     in reply to

     In the screenshots as evidence, one shows a phone screenshot using Maps - at a Kosher bar in Hackney in London.

     Additionally, the screenshot of the list of devices almost all have ‘test’ in the device name. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 04-Oct-2024 08:13:13 JST Kevin Beaumont

     in reply to

     The Handala claim of hacking Shin Bet mobiles via a supply chain hack does not appear to stack up.

     They appear to have used material from NativCell, who provide internet filtering and management for Haredim (strictly Orthodox).

     It’s part of a pattern with Handala where they take some access and spin it to mean something it doesn’t. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 06-Oct-2024 17:38:39 JST Kevin Beaumont

     in reply to

     Handala claim to have done a hack and wipe of MaxShop, a point of sale vendor in Israel.

     I have confirmed their website was defaced and has been taken offline. https://maxshop.co.il #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 07-Oct-2024 00:00:49 JST Kevin Beaumont

     in reply to

     MaxShop’s website is still offline. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 07-Oct-2024 01:32:24 JST Kevin Beaumont

     in reply to

     Handala have posted 300gb of what they claim is IBB - Israel Industrial Batteries - internal data.

     Previously they claimed they had access, but hadn’t provided proof.

     #handala #threatintel

   • Embed this notice
     Alex (alex02@cyberplace.social)'s status on Monday, 07-Oct-2024 01:40:10 JST Alex

     in reply to

     @GossiTheDog probably full of shit.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 07-Oct-2024 06:31:13 JST Kevin Beaumont

     in reply to

     MaxShop’s website has changed to a Plesk default site. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 07-Oct-2024 18:16:19 JST Kevin Beaumont

     in reply to

     Handala have done a defacement of Silver Shadow, a small exporter of licensed firearms.

     https://silver-shadow.com/

     #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 07-Oct-2024 19:51:52 JST Kevin Beaumont

     in reply to

     Silver Shadow’s website has gone offline, displaying a Wordpress error page. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 07-Oct-2024 21:52:08 JST Kevin Beaumont

     in reply to

     MaxShop’s website is back online. Contains no reference to what happened. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 07-Oct-2024 22:42:51 JST Kevin Beaumont

     in reply to

     Silver Shadow’s website is back online. Makes no reference to what happened. #handala #threatintel

   • Embed this notice
     Random_Seed :apple_inc: 💾 🇿🇦 (random_seed@bitbang.social)'s status on Tuesday, 08-Oct-2024 01:12:44 JST Random_Seed :apple_inc: 💾 🇿🇦

     in reply to

     @GossiTheDog defacing a website is one thing, claiming an extensive data breach is another. Did they in fact compromise their systems?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 08-Oct-2024 02:42:39 JST Kevin Beaumont

     in reply to

     Handala are now upset with Yair Golan, in particular highlighting his comments about a possible attack on Iran.

     Contains the usual, a picture dump - so far no email dump. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 10-Oct-2024 18:46:40 JST Kevin Beaumont

     in reply to

     Handala’s latest dump is of a podcasting platform called Doscast. Email addresses and encrypted passwords. #threatintel #handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 13-Oct-2024 20:54:24 JST Kevin Beaumont

     in reply to

     Handala claim they used a MaxShop SMS account to send 5 million messages. Their screenshot and my translated version below. #threatintel #handala

   • Embed this notice
     ericshmeric (ericshmeric@cyberplace.social)'s status on Friday, 18-Oct-2024 06:25:15 JST ericshmeric

     in reply to

     @GossiTheDog A friend in .il said his network was hit with this wiper last week. MO seems similar to Handala's. He said the trigger was the same email from ESET and payload hosted on their infra too.

     https://forum.eset.com/topic/42733-government-backed-attackers-may-be-trying-to-compromise-your-device-email/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 26-Oct-2024 12:08:15 JST Kevin Beaumont

     in reply to

     Obviously, Handala are awake. #threatintel #handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 26-Oct-2024 18:15:29 JST Kevin Beaumont

     in reply to

     Handala have deleted their previous message and replaced it with this. #threatintel #handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 27-Oct-2024 01:33:24 JST Kevin Beaumont

     in reply to

     Handala claim they are doing a “ultra big wipe” #threatintel #handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 27-Oct-2024 19:08:42 JST Kevin Beaumont

     in reply to

     Handala claim to have hacked and wiped 74 servers at AGAS - https://www.agas.co.il - an Israeli MSP, MSSP and cloud reseller.

     I’m not sure the size of the org stacks up with Handala’s claim. Also, 74 servers is not a lot.

     I’ve reached out to AGAS to see if they want to comment.

     #threatintel #handala

   • Embed this notice
     meriksson (meriksson@swecyb.com)'s status on Sunday, 27-Oct-2024 19:23:04 JST meriksson

     in reply to

     @GossiTheDog Depends on what type of servers I imagine.

     74 Windows servers with some normal stuff, not that big.

     74 ESX hosts holding thousands and thousands of VM’s, sligthly bigger of a deal.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 29-Oct-2024 02:56:15 JST Kevin Beaumont

     in reply to

     Handala claim to have released 10gb of customer data for AGAS.

     It does appear AGAS has a security incident going on. AGAS declined to comment when asked.

     #threatintel #handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 30-Oct-2024 20:54:34 JST Kevin Beaumont

     in reply to

     AGAS have confirmed to me they are dealing with a cyber incident from Handala. #threatintel #handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 30-Oct-2024 23:15:07 JST Kevin Beaumont

     in reply to

     Handala have been banned from TikTok, one day after joining. #threatintel #handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 30-Oct-2024 23:22:42 JST Kevin Beaumont

     in reply to

     Handala say have hacked and dumped IM Cannabis aka IMC - https://imcannabis.com/ - using their access via AGAS, their MSP.

     They also implicate another company, NDN Security - https://www.ndn-security.com/

     #threatintel #handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 04-Nov-2024 16:33:41 JST Kevin Beaumont

     in reply to

     Handala claims to have done a leak and wipe of Elad municipality.

     Elad's website is offline, and there's an Israeli media report of some kind of cyber incident.

     Handala typically over exaggerate data volumes exfiltrated.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 05-Nov-2024 18:46:02 JST Kevin Beaumont

     in reply to

     Handala are again claiming to have hacked Soreq, the nuclear safety org. I have in the past confirmed Soreq had a cybersecurity incident related to Handala, via the International Atomic Agency. #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 06-Nov-2024 17:16:21 JST Kevin Beaumont

     in reply to

     Handala have posted photos and internal diagrams of, they claim, Shimon Peres Negev Nuclear Research Center.

     The data appears to have come from Soreq. I have confirmed Soreq was owned, via the IAEA.

     #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 15-Nov-2024 06:02:55 JST Kevin Beaumont

     in reply to

     A few things have happened with Handala over the past few days which I haven’t covered - they’ve been dumping cloud backup photos and making threats, including about family members. I didn’t want to cover it.

     All but one of the Handala Telegram channels has been shut down tonight.

     #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 24-Nov-2024 01:08:48 JST Kevin Beaumont

     in reply to

     Handala continues to be crazy town, with data dumps of what is allegedly to be SSV Network, a blockchain company.

     Handala claim they can link it (SSV Network) to Unit 8200, the Israeli intelligence agency. So far this appears to be without proof.

     I’m going to guess, based on this post, they plan to post more tomorrow about Unit 8200.

     #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 24-Nov-2024 20:19:56 JST Kevin Beaumont

     in reply to

     So with the Unit 8200 stuff and Handala, their latest claim is they gained access to Silicom Limited (an IT services and networking company) and exfiltrated data, and that Silicom is a front company for Unit 8200.

     Presented evidence includes a video accessing an internal VMware vCentre cluster with about 50tb of storage.

     #Handala #threatintel

   • Embed this notice
     Sig. Ug. (sig_ug@infosec.exchange)'s status on Sunday, 24-Nov-2024 22:42:29 JST Sig. Ug.

     in reply to

     @GossiTheDog Do you have an opinion on whether deplatforming would dampen activity by this and similar groups? If they didn't have their Telegram channel or similar account to brag about their hacks, would they continue at the same rate?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 26-Nov-2024 22:04:36 JST Kevin Beaumont

     in reply to

     Handala claim to be inside the Silicom incident response process, and that they’ve wiped 300 systems. #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 26-Nov-2024 22:08:31 JST Kevin Beaumont

     in reply to

     Btw the Silicom thing is interesting - Silicom sell OEMs networking kit and cards inside server which is rebranded on sale, ie people see their products as other company. The Handala claim is that Silicom is a Unit 8200 (Israeli signals intelligence) front company, for onward access. #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 01-Dec-2024 19:06:15 JST Kevin Beaumont

     in reply to

     Handala are one year old today. They are billing next week “destructive week”. #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 01-Dec-2024 19:22:29 JST Kevin Beaumont

     in reply to

     Masoumeh Karbasi & Reza Avazeh were killed in a drone strike in Lebanon in October. As far as I can see nobody knew why publicly, Handala’s linking Reza to Hezbollah and their cybersecurity appears to be a first.

     His children were invited to meet ‘Supreme Leader of the Islamic Revolution’ that week. https://farsi.khamenei.ir/news-content?id=58050

     #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 12-Dec-2024 21:56:04 JST Kevin Beaumont

     in reply to

     Handala say they plan their most destructive hack so far this weekend, over the fate of Reza Avazeh

     There’s even a video, but sadly no hoodie wearing hackers

     #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 15-Dec-2024 21:08:21 JST Kevin Beaumont

     in reply to

     Handala claim to have gained access to
     CaaB Cloud (https://caab.cloud), aka Cloud as a Business, posting a video of administrator access. CAAB Cloud describe themselves as “The MSP’s Cloud” in marketing.

     CAAB Cloud is owned and operated by GNS in Israel, aka https://gns.cloud

     It is unclear if the claims are credible. CaaB’s status page suggest a ~10% availability impact in one of their Israeli datacenters three days ago on cloud VM. https://status.caab.cloud

     #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 17-Dec-2024 19:15:15 JST Kevin Beaumont

     in reply to

     Handala suggests they got access to Ehud Barak’s iPad using a BYOD management profile. #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 22-Dec-2024 22:40:17 JST Kevin Beaumont

     in reply to

     A bit on the nose writing 🤣 #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 26-Dec-2024 01:22:23 JST Kevin Beaumont

     in reply to

     Handala have gained access to Reutone, a SaaS CRM supplier, and forward phished customers with a Trojan. Write up later. #Handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 27-Dec-2024 23:52:38 JST Kevin Beaumont

     in reply to

     I wrote up the Handala attack on ReutOne, includes the first IoCs on Handala's python trojan

     https://doublepulsar.com/handala-attempts-a-supply-chain-hack-via-reutone-001aa3cc684f

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 28-Dec-2024 08:23:08 JST Kevin Beaumont

     in reply to

     Handala has also defaced ReutOne’s website, and published videos of RDP access to ReutOne’s internal network, eg Active Directory Certificate Authority etc. https://web.archive.org/web/20241226141650/https://www.reutone.com/

     #threatintel #Handala

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 30-Dec-2024 22:49:23 JST Kevin Beaumont

     in reply to

     Handala claim they hacked Allen Carr's Easyway via ReutOne.

     Two points:

     a) I legit thought they had hacked UK national treasure Alan Carr for a moment

     2) "reportedly", lol. ChatGPT doing overtime for Handala.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 30-Dec-2024 22:50:47 JST Kevin Beaumont

     in reply to

     The '100K messages sent' thing is a reference to Handala abusing WhatsApp Business accounts, my English translation of message they've been sending.

     #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 20-Jan-2025 15:43:25 JST Kevin Beaumont

     in reply to

     Handala claim they will be wiping Mossad’s financial network today. Also, they appear to have purchased ChatGPT premium.

     #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 20-Jan-2025 15:44:44 JST Kevin Beaumont

     in reply to

     One note, they fully respected the dates of the ceasefire last time but apparently aren’t bothered this time? #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 20-Jan-2025 17:19:15 JST Kevin Beaumont

     in reply to

     Handala claim to have done a hack and wipe of Zuk Group, an Israel group of financial companies. Their website has been defaced as of writing.

     Handala posted a series of videos appearing to show access to their internal network.

     Handala also claim the company is a front for Mossad. They offer no evidence of that bit.

     #handala #threatintel

   • Embed this notice
     commenter (commenter@cyberplace.social)'s status on Wednesday, 22-Jan-2025 22:56:51 JST commenter

     in reply to

     @GossiTheDog

     Yes Cyber Toufan paused during ceasefire.

     But you missed this one:

     https://www.jpost.com/israel-news/article-838245

     https://t.me/CyberSecurityIL/6421
     https://t.me/CyberSecurityIL/6422
     https://t.me/CyberSecurityIL/6423
     https://t.me/CyberSecurityIL/6424

     I'm 100% sure it was Cyber Toufan...

     Both groups seems to be politically motivated but some people mixed attribution between Handala and Cyber Toufan, we watched them closely.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 23-Jan-2025 16:42:23 JST Kevin Beaumont

     in reply to

     Handala got booted off Telegram after the Zuk Group hack.

     They’re back on another channel and posted:

     “وَ كَمْ قَصَمْنا مِنْ قَرْيَةٍ كانَتْ ظالِمَةً ... بَلْ نَقْذِفُ بِالْحَقِّ عَلَى الْباطِلِ فَيَدْمَغُهُ فَإِذا هُوَ زاهِقٌ ...”

     Which translates to

     “How many a city have We destroyed which was unjust... Rather, We cast the truth upon falsehood, and it destroys it, and at once it departs...”

     #handala #threatintel

   • Embed this notice
     Dr. Christopher Kunz (christopherkunz@chaos.social)'s status on Thursday, 23-Jan-2025 17:01:51 JST Dr. Christopher Kunz

     in reply to

     @GossiTheDog As to be expected, that's from the Qu'ran. Sure al-Anbiya, verse 11-12

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 26-Jan-2025 19:02:31 JST Kevin Beaumont

     in reply to

     Handala claim to have hacked the Ministry of National Security in Israel, activated red alert to get people into shelters, closed the doors, then played a song and wiped the system.

     Very unclear how widespread or credible this is, although some Israeli social media posts show devices going off and playing songs.

     #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 26-Jan-2025 19:07:25 JST Kevin Beaumont

     in reply to

     They also claim they have hacked Israeli police pagers and are broadcasting song on them, claim to have taken security ID information and delivery certificates for weapons. #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 26-Jan-2025 19:51:34 JST Kevin Beaumont

     in reply to

     There’s some coverage in Israeli media suggesting a focus on schools, with Israeli authorities acknowledging the incidents.
     https://www.mivzaklive.co.il/archives/879473

     https://www.inn.co.il/news/659713

     #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 02-Feb-2025 19:49:39 JST Kevin Beaumont

     in reply to

     Handala claim to have done a hack and wipe of Tosaf, a plastics manufacturer.

     Screenshots show apparent Windows domain admin access, and they attach CCTV videos of themselves playing songs into a factory and an office, with workers looking confused.

     #handala #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 05-Mar-2025 02:34:43 JST Kevin Beaumont

     in reply to

     Handala have been fully kicked off Telegram, including their backup channel.

     Achievement unlocked as I can't remember a group ever getting fully booted.

     #threatintel #handala