IRoX Team threatens to attack Brazil. Learn how to protect your business

IRoX Team threatens to attack Brazil. Learn how to protect your business

By ISH and SafeLabs: A group of cyber activists called 'IRoX Team' has announced a cyber war against Israel and its supporters, publishing dates for their cyber attacks. According to the publication in a public messaging group, the group supports Palestinian Muslims and claims that the reason for this attack would be to disrupt the online presence and
activities of countries and organizations theoretically associated with Israel.

The group directed one of the cyberattack threats at Brazil, which could occur on October 20, 2023.

Threat of attacks on countries

The IRoX Team group has announced on its Telegram channel that it will carry out attacks in certain countries on specific dates. The actors express that their inspiration comes from support for Muslim Palestinians and resistance to Israel, declaring their intention to engage in a digital battle against Israel and its allies. The aim, as highlighted in the group's communication, is to "completely annihilate the virtual environment of those who support Israeli Jews".

Publication mentioning Brazil in possible cyber attacks

Once the message has been translated, we get the following results:

Translation of the message presented to Brazil

Group history and details

The group calling itself "IRoX Team" allegedly created its Telegram channel on September 22, 2023, and among its first posts was information that the data of named teachers had been leaked by "IRσX ƇσммυηιтƳ". It is said to have started its cyber attacks against Indian organizations, and on October 14, the group went public with its support for Palestinian Muslims, publicly declaring a cyber war against Israel and those who publicly support the country.

Announcement of support for Palestinians over Israel's war

On October 19, this group published a "cyber attack warning", in which it stated that on October 20, 2023, it would carry out attacks on certain countries, including Brazil, as I have already stated in the previous information, stressing that this group's main focus, before Brazil was announced, was organizations located in India.

Information collected about the IRoX Team

So far, there has been no information from public indicators about this threat actor or the group called IRoX Team, but it has been possible to collect information about the possible leaders or agents who act together in the group.

Among the messages identified from group participants wanting to join the IRoX Team, it was possible to get a response from one of the group's potential leaders.

Translation:

XXXXXX, [19/10/2023 09:15]

Looking to join a team

XXXXXX, [19/10/2023 09:16]

Is there a forum to join?

Translation:

XXXX,

Sorry, sir, we have enough members, if more members are needed, updates will be given, thank you for staying with us.

In addition to the message sent by the possible leader, four other administrators of the group were identified.

After identifying these administrators, a survey was carried out on them to understand possible locations, information on TTPs and other relevant facts, which are collected and analyzed separately in the topics below.

Victims identified

On October 20, IRoX Team published some of the sites that have been the targets of defacement-type cyber attacks.

RED's announcement of a DDoS attack involving a hospital

By accessing the sites, it is possible to verify the change in their content:

Site modified according to threat actor performing defacement

The IRoX Team behaves similarly to other types of groups that have expressed support for Palestine, launching attacks on organizations based in India, exfiltrating people's data and information, as well as identifying DDoS attacks by the group's administrative members.

In addition to the information presented, it was identified that IRoX has links with the teams:

  • Team Dishari (Bangladesh)
  • Death Cyber Army
  • Team BADS - Security Researches
  • DDoS Project (Russia)

The DDoS project (Project DDoS) has already been identified as being in use by other groups on Telegram, such as Team R70, whose DDoS project belongs to the Noname05716 threat group, which has the capacity to launch DDoS attacks causing disruption to organizations, since it acts as a pro-Russia hacktivist group, launching attacks against countries allied with NATO.

It was gathered that on September 18, through a Facebook post, the group spoke out against "Indian hackers" stating that if they carried out attacks on September 19 on Bangladesh's cyber surface, they would launch counterattacks.

Facebook group's announcement against cyber attacks by Indian hackers

It is worth noting that Bangladesh is a country whose adopted religion is Islam, with the vast majority of its inhabitants being Muslims.

We can therefore conclude that Brazilian companies (private and public sector) are prone to possible DDoS (distributed denial of service) attacks, web server intrusions, data exfiltration, website defacements, among others, and at the moment there are no indicators of compromise collected from the group, and the possible TTPs used by the group are presented directly in the MITRE ATT&CK section.

MITRE ATT&CK

According to the information collected, we present the TTPs for the threat actor described in the report:

TacticsTechniqueDetails
Exfiltration TA0010Exfiltration TA0010The group can adopt data exfiltration techniques to steal data from your organization's network.
Impact TA0040Defacement T1491The group can modify the visual content available internally or externally to a corporate network, thus affecting the integrity of the original content.
Impact TA0040Network denial of service T1498The group can carry out denial-of-service (DoS) attacks on the network to throttle or block the availability of resources for users.
Impact TA0040Network denial of service: Direct network flooding. T1498.001The group could try to cause a denial of service (DoS) by directly sending a large volume of network traffic to a target.
Impact TA0040Network Denial of Service: Reflection Amplification. T1498.002The group may try to cause a denial of service (DoS), reflecting a high volume of network traffic to a target.

How to protect yourself?

Below are some security recommendations for DDoS attacks, defacement and hacking into web servers:

DDoS attacks

  • Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS): Use firewalls and IDS/IPS systems to monitor and filter network traffic, blocking suspicious patterns and malicious traffic.
  • Load balancing: Distribute traffic between several servers or data centers to avoid overloading a single entry point.
  • DDoS Protection Services: Consider using DDoS protection services provided by specialized service providers.
  • Traffic filtering: Implement whitelists to only allow traffic from trusted IPs. Also consider using blacklists for IP addresses known to be malicious.
  • Abnormal Traffic Monitoring: Use traffic monitoring tools to identify unusual patterns that may indicate a DDoS attack in progress.
  • Defense in Depth: Implement multiple layers of defense, including firewalls, IDS/IPS, DDoS protection services and robust security policies.
  • Vulnerability tests: Carry out regular vulnerability tests to identify possible weak points in your infrastructure.
  • Incident Response Plan: Have an incident response plan that includes specific procedures for dealing with DDoS attacks, including communication with the security team, service providers and authorities if necessary.
  • Training and Awareness: Educate your team on good cybersecurity practices, including recognizing and responding to DDoS attacks.
  • Backup and Recovery: Keep backup copies of critical data and have recovery plans in case of a successful attack.
  • External monitoring: Use external monitoring services to assess the availability and performance of your systems on an ongoing basis.
  • Updates and Patches: Keep your software and operating systems up to date with the latest security patches.

Defacement attacks and web server protection

  • Keep Software Up to Date: Make sure that all software, including the operating system, web servers, CMS (content management systems) and plugins, is always up to date with the latest security patches.
  • Back up regularly: Keep up-to-date backup copies of your website and database.
  • Use Strong Passwords: Use complex and unique passwords for all accounts associated with your site, including administration panels, FTP and databases.
  • Access Control: Limit access to your site's administration panel to authorized users only.
  • Change Monitoring: Set up alerts to notify you immediately when unexpected changes occur on your site. This can be done using file integrity monitoring tools.
  • Restrict File Permissions: Assign appropriate permissions to files and directories on the server. Avoid giving write permissions to files that don't need to be changed regularly.
  • Use SSL/TLS Certificates: Make sure your site uses HTTPS to encrypt communication between the server and visitors. This helps protect against data interception attacks.
  • Web Application Firewall (WAF): Implement a WAF to filter and monitor HTTP/HTTPS traffic, protecting against common attacks such as SQL injection and cross-site scripting (XSS).
  • File Upload Restriction: If allowed, restrict the types of files that users can upload to your site.
  • Disable Unnecessary Services: Disable any service or functionality that is not necessary for the site to function.
  • External monitoring: Use external monitoring services to check the availability of your site and detect any changes to the content.
  • Training and Education: Keep staff and employees informed about best security practices and how to recognize suspicious activity.

References

  • Heimdall by ISH Technology
  • SafeLabs

    

Tags: , , ,

Leave a Comment

Your e-mail address will not be published. Required fields are marked with *

Copyright © 2022 ISH Tecnologia, All Rights Reserved.