With a war raging between Hamas and Israel, there seems to be a war also being raged in cyberspace that is continuing to emerge.
As soon as the first gruesome attack took place on the 7th of October 2023, cybersecurity experts had started picking up multiple threat actors launching various cyber attacks against Israeli warning systems. One type of an attack that was launched included a distributed denial of service (DDoS) campaign.
Just over 1 week into the conflict, Cloudflare research wrote about a spoofed app which is used extensively by Israelis to warn of any incoming rocket attacks. Such a tool is important given that over 5,000 rockets have been fired into Israel since the conflict started.
Cloudforce One’s Threat Operations Team also found a website that hosts a malicious version of the app,
“Red Alert – Rocket Alerts App, is an open source mobile tool which was created by Elad Nava which delivers timely and precise alerts about incoming airstrikes”
This was written in a report by researchers Blake Darche, Armen Boursalian and Javier Castro. They further went on to write the following:
“Many people that live in Israel rely on these alerts in order to find safety, especially now with the escalations that are happening in the region.”
Big Problem With The Smallest Of Changes
In this campaign which involved domain impersonation, an advertisement was issued on the malicious site, enticing and luring users to download the RedAlert app.
What one does not notice in terms of the difference between the malicious site of the threat actor and that of the legitimate one lies in a single letter.
The malicious site is redalerts[.]me where as the legitimate site is redalert[.]me. What is even scarier is that the threat actor was able to deploy malicious and modified version of the open source code to the userbase.
The malicious site had a link to both an iPhone and Android versions of the malicious app. However the Apple store version was directed to a legitimate version of the app, where as those that clicked on the android link to the app hosted on the Play Store had their devices infected with malware.
The following was written by the researchers:
“The malicious RedAlert version imitates the legitimate rocket alert application but also collects sensitive user data. Additional permissions requested by the malicious app include access to ones contacts, call logs, SMS, account information as well as an overview of all the installed apps on ones phone.”
The stolen data is then uploaded through a connector class that was written by the threat actor which in turn encrypts the data and uploads it to a web server.
A number of tactics are used to avoid being detected, which includes ways to determine if the application is being debugged or if a test user, known as a “monkey”, is using the app. It also looks for certain types of files and identifiers to determine if it is being run in an emulated environment.
Remove the Malicious App As Soon As Possible
The malicious web site which was launched on October 12th has since been taken offline, and even with this site offline there are some victims that still have this illegitimate application installed on their mobile phones and should delete it immediately.
Signs that you have the malicious app can be determined by a lot of additional permissions which the malicious app adds. Some of these permissions would be access to call logs, contacts, phone, and SMS.
Darche, Boursalian, and Castro wrote:
“If users are unsure whether they installed the malicious version they can delete the RedAlert applications and install the legitimate version from directly within the Google Play Store.”
Domain Impersonation - A Serious Problem
This is not the first time the RedAlert app has been attacked.
Shortly after the Hamas attack begun the hactivist group AnonGhost exploited an API flaw in the software where it can intercept requests and expose vulnerable servers and their API’s.
In addition, they used Python scripts to send spam messages to some app users which included fake messages about a nuclear bomb according to cyber security company Group-IB.
Cloudflare researchers said the following:
“This domain impersonation attack shows the danger of sideloading applications directly from the Internet as opposed to installing applications from the approved device app stores.”
These type of campaigns are a constant problem. Cyber security company trip wire wrote in a report earlier in October that during the 1st 6 months of 2023, brands hand been the target on average of 39.4 look a like domains each month.
This means that from January to May 2023, the monthly average ranged from 27.29 to 37.23 spoofed domains, but by June 2023 the average jumped by 120%.
Tripwire went on to further say:
“One factor contributing to this growth is the increase in lookalike domains targeting certain industries, including the technology, retail, manufacturing, and financial sectors. This is also reflected in a significant jump in attacks on a top three webmail provider.”