Mastodawn

Kevin Beaumont Oct 8, 2024

Handala's latest is a dump allegedly of Ron Prosor's emails, who they originally mentioned 8 days ago. Ron is the Ambassador of Israel to Germany. Telegram post includes death threats.

50k emails, again looks like a personal email account. #threatintel #handala

Edit: I broke the thread on this, the prior ones are at https://cyberplace.social/@GossiTheDog/113267372575167506

Kevin Beaumont (@[email protected])

Attached: 1 image Handala are now upset with Yair Golan, in particular highlighting his comments about a possible attack on Iran. Contains the usual, a picture dump - so far no email dump. #handala #threatintel

Cyberplace

Kevin Beaumont Oct 10, 2024

Handala’s latest dump is of a podcasting platform called Doscast. Email addresses and encrypted passwords. #threatintel #handala

Kevin Beaumont Oct 13, 2024

Handala claim they used a MaxShop SMS account to send 5 million messages. Their screenshot and my translated version below. #threatintel #handala

Kevin Beaumont Oct 26, 2024

Obviously, Handala are awake. #threatintel #handala

Kevin Beaumont Oct 26, 2024

Handala have deleted their previous message and replaced it with this. #threatintel #handala

Kevin Beaumont Oct 26, 2024

Handala claim they are doing a “ultra big wipe” #threatintel #handala

Kevin Beaumont Oct 27, 2024

Handala claim to have hacked and wiped 74 servers at AGAS - https://www.agas.co.il - an Israeli MSP, MSSP and cloud reseller.

I’m not sure the size of the org stacks up with Handala’s claim. Also, 74 servers is not a lot.

I’ve reached out to AGAS to see if they want to comment.

#threatintel #handala

Kevin Beaumont Oct 28, 2024

Handala claim to have released 10gb of customer data for AGAS.

It does appear AGAS has a security incident going on. AGAS declined to comment when asked.

#threatintel #handala

Kevin Beaumont Oct 30, 2024

AGAS have confirmed to me they are dealing with a cyber incident from Handala. #threatintel #handala

Kevin Beaumont Oct 30, 2024

Handala have been banned from TikTok, one day after joining. #threatintel #handala

Kevin Beaumont Oct 30, 2024

Handala say have hacked and dumped IM Cannabis aka IMC - https://imcannabis.com/ - using their access via AGAS, their MSP.

They also implicate another company, NDN Security - https://www.ndn-security.com/

#threatintel #handala

Homepage new - IMCannabis

IMCannabis

Kevin Beaumont Nov 4, 2024

Handala claims to have done a leak and wipe of Elad municipality.

Elad's website is offline, and there's an Israeli media report of some kind of cyber incident.

Handala typically over exaggerate data volumes exfiltrated.

#Handala #threatintel

Kevin Beaumont Nov 5, 2024

Handala are again claiming to have hacked Soreq, the nuclear safety org. I have in the past confirmed Soreq had a cybersecurity incident related to Handala, via the International Atomic Agency. #Handala #threatintel

Kevin Beaumont Nov 6, 2024

Handala have posted photos and internal diagrams of, they claim, Shimon Peres Negev Nuclear Research Center.

The data appears to have come from Soreq. I have confirmed Soreq was owned, via the IAEA.

#Handala #threatintel

A few things have happened with Handala over the past few days which I haven’t covered - they’ve been dumping cloud backup photos and making threats, including about family members. I didn’t want to cover it.

All but one of the Handala Telegram channels has been shut down tonight.

#Handala #threatintel

Kevin Beaumont Nov 23, 2024

Handala continues to be crazy town, with data dumps of what is allegedly to be SSV Network, a blockchain company.

Handala claim they can link it (SSV Network) to Unit 8200, the Israeli intelligence agency. So far this appears to be without proof.

I’m going to guess, based on this post, they plan to post more tomorrow about Unit 8200.

#Handala #threatintel

Kevin Beaumont Nov 24, 2024

So with the Unit 8200 stuff and Handala, their latest claim is they gained access to Silicom Limited (an IT services and networking company) and exfiltrated data, and that Silicom is a front company for Unit 8200.

Presented evidence includes a video accessing an internal VMware vCentre cluster with about 50tb of storage.

#Handala #threatintel

Kevin Beaumont Nov 26, 2024

Handala claim to be inside the Silicom incident response process, and that they’ve wiped 300 systems. #Handala #threatintel

Kevin Beaumont Nov 26, 2024

Btw the Silicom thing is interesting - Silicom sell OEMs networking kit and cards inside server which is rebranded on sale, ie people see their products as other company. The Handala claim is that Silicom is a Unit 8200 (Israeli signals intelligence) front company, for onward access. #Handala #threatintel

Kevin Beaumont Dec 1, 2024

Handala are one year old today. They are billing next week “destructive week”. #Handala #threatintel

Kevin Beaumont Dec 1, 2024

Masoumeh Karbasi & Reza Avazeh were killed in a drone strike in Lebanon in October. As far as I can see nobody knew why publicly, Handala’s linking Reza to Hezbollah and their cybersecurity appears to be a first.

His children were invited to meet ‘Supreme Leader of the Islamic Revolution’ that week. https://farsi.khamenei.ir/news-content?id=58050

#Handala #threatintel

دیدار خانواده شهیدان معصومه کرباسی و رضا عواضه با رهبر انقلاب

Kevin Beaumont Dec 12, 2024

Handala say they plan their most destructive hack so far this weekend, over the fate of Reza Avazeh

There’s even a video, but sadly no hoodie wearing hackers

#Handala #threatintel

Kevin Beaumont Dec 15, 2024

Handala claim to have gained access to
CaaB Cloud (https://caab.cloud), aka Cloud as a Business, posting a video of administrator access. CAAB Cloud describe themselves as “The MSP’s Cloud” in marketing.

CAAB Cloud is owned and operated by GNS in Israel, aka https://gns.cloud

It is unclear if the claims are credible. CaaB’s status page suggest a ~10% availability impact in one of their Israeli datacenters three days ago on cloud VM. https://status.caab.cloud

#Handala #threatintel

Kevin Beaumont Dec 17, 2024

Handala suggests they got access to Ehud Barak’s iPad using a BYOD management profile. #Handala #threatintel

Kevin Beaumont Dec 22, 2024

A bit on the nose writing 🤣 #Handala #threatintel

Kevin Beaumont Dec 25, 2024

Handala have gained access to Reutone, a SaaS CRM supplier, and forward phished customers with a Trojan. Write up later. #Handala #threatintel

Kevin Beaumont Dec 27, 2024

I wrote up the Handala attack on ReutOne, includes the first IoCs on Handala's python trojan

https://doublepulsar.com/handala-attempts-a-supply-chain-hack-via-reutone-001aa3cc684f

Handala attempts a supply chain hack via ReutOne - DoublePulsar

During the week, Handala — a group painfully in love with Israel, breached ReutOne, a small Microsoft 365 Dynamics reseller. They sent out an email to their customers on 24th December 2024, asking…

DoublePulsar

Kevin Beaumont Dec 27, 2024

Handala has also defaced ReutOne’s website, and published videos of RDP access to ReutOne’s internal network, eg Active Directory Certificate Authority etc. https://web.archive.org/web/20241226141650/https://www.reutone.com/

#threatintel #Handala

Kevin Beaumont Dec 30, 2024

Handala claim they hacked Allen Carr's Easyway via ReutOne.

Two points:

a) I legit thought they had hacked UK national treasure Alan Carr for a moment

2) "reportedly", lol. ChatGPT doing overtime for Handala.

Kevin Beaumont Dec 30, 2024

The '100K messages sent' thing is a reference to Handala abusing WhatsApp Business accounts, my English translation of message they've been sending.

#handala #threatintel

Kevin Beaumont Jan 20, 2025

Handala claim they will be wiping Mossad’s financial network today. Also, they appear to have purchased ChatGPT premium.

#handala #threatintel

Kevin Beaumont Jan 20, 2025

One note, they fully respected the dates of the ceasefire last time but apparently aren’t bothered this time? #handala #threatintel

Edit: derp, it was Cyber Toufan who respected the ceasefire, not Handala.

Kevin Beaumont Jan 20, 2025

Handala claim to have done a hack and wipe of Zuk Group, an Israel group of financial companies. Their website has been defaced as of writing.

Handala posted a series of videos appearing to show access to their internal network.

Handala also claim the company is a front for Mossad. They offer no evidence of that bit.

#handala #threatintel

Kevin Beaumont Jan 23, 2025

Handala got booted off Telegram after the Zuk Group hack.

They’re back on another channel and posted:

“وَ كَمْ قَصَمْنا مِنْ قَرْيَةٍ كانَتْ ظالِمَةً ... بَلْ نَقْذِفُ بِالْحَقِّ عَلَى الْباطِلِ فَيَدْمَغُهُ فَإِذا هُوَ زاهِقٌ‌ ...”

Which translates to

“How many a city have We destroyed which was unjust... Rather, We cast the truth upon falsehood, and it destroys it, and at once it departs...”

#handala #threatintel

Kevin Beaumont Jan 26, 2025

Handala claim to have hacked the Ministry of National Security in Israel, activated red alert to get people into shelters, closed the doors, then played a song and wiped the system.

Very unclear how widespread or credible this is, although some Israeli social media posts show devices going off and playing songs.

#handala #threatintel

Dr. Christopher Kunz Jan 23, 2025

@GossiTheDog As to be expected, that's from the Qu'ran. Sure al-Anbiya, verse 11-12

commenter Jan 22, 2025

Yes Cyber Toufan paused during ceasefire.

But you missed this one:

https://www.jpost.com/israel-news/article-838245

https://t.me/CyberSecurityIL/6421
https://t.me/CyberSecurityIL/6422
https://t.me/CyberSecurityIL/6423
https://t.me/CyberSecurityIL/6424

I'm 100% sure it was Cyber Toufan...

Both groups seems to be politically motivated but some people mixed attribution between Handala and Cyber Toufan, we watched them closely.

Cyberattack targets Israeli organizations amid hostage return process

Israeli organizations hit by a cyber attack spreading pro-Hamas propaganda.

The Jerusalem Post | JPost.com

@GossiTheDog Oh they better not be coming for the Chatty Man! 😆

SensibleOtter Dec 30, 2024

@GossiTheDog

Now I want the UK national treasure Alan Carr to make some statement about being hacked.

Would be the most pure and awesome and most British camp comedy gold ever

Noah Kennedy Dec 22, 2024

@GossiTheDog it's especially funny to see chatgpt output here

DJGummikuh Dec 22, 2024

@GossiTheDog somehow this feel like the explanatory paragraph of ChatGPT 🤔 which now that I think about it makes a lot of sense to throw any kind of lingual profiling out of the equation

skull Dec 12, 2024

@GossiTheDog i dont get how they don't think these videos are cringe before posting it lmfao

VessOnSecurity Nov 24, 2024

@GossiTheDog Whoever named it "Silicom" wanted so much to make a pun on "silicon" that he didn't realize that it sounds like "silly com(pany)".

Sig. Ug.Nov 24, 2024

@GossiTheDog Do you have an opinion on whether deplatforming would dampen activity by this and similar groups? If they didn't have their Telegram channel or similar account to brag about their hacks, would they continue at the same rate?