Facebook Resists Palestinian APT Activities
Facebook announced that it disrupted the two Palestinian advanced persistent threat groups’ activities which aimed at victims across the Middle East as part of their cyber spy campaigns.
Facebook intelligence analysts on threat said they noticed campaigns connected to AridViper, an spy group active as far back as 2015, and Preventive Security Service, connected to the intelligence services of Palestinian President Mahmoud Abbas.
The groups made use of Android and Windows malware and sophisticated social engineering method in targeting human rights activists, military groups, and journalists in Syria Palestine, Lebanon, Iraq, Libya and Turkey for cyber spy, Facebook says.
Facebook’s director, David Agranovich, for disruption of threat, said in an interview with the Independent newspaper that Facebook accounts which have a link or the other to the hacking networks, had been cancelled, this also includes downloading of malwares, and that it had informed all targets, shared the investigation with other tech firms to resist malware distribution.
While Facebook had disrupted APTs’ facilities, it gave a serious warning that the groups might, soon, revive their activities.
“In order to resist both operations, we have taken down their accounts, launched malware hashes, also blocked all domains that are in connection to their activity and informed people whom we believe were aimed at so as to help them get their (Facebook) accounts secured,” Facebook said.
“The groups in charge of these operations are determined enemies, and we are certain they will change their strategies in response to our enforcement.”
Preventive Security Service
Preventive Security Service basically makes use of social engineering strategy to trick Facebook users to click links so as to install malicious chat applications.
The group made use of custom-built malware faking as secure chat applications. When mistakenly installed, it will collect device metadata, location, call logs, contacts and text messages.
Attackers will upload data stolen to Firebase. The group also make use of SpyNote Android malware for monitoring calls and for remote access.
AridViper, also called DesertFalcon and APT-C-23.The cyber espionage campaigns in the Middle East monitored by Kaspersky Lab was initially reported in 2015.
The APT group made use of not less than 100 sites which hosted iOS and Android malware for stealing credentials.
The group also made use of an Android malware called AridViper strain similar to FrozenCell and VAMP, Facebook said. This malware was distributed via phishing sites controlled by the attackers like fake pages which look so much like the Facebook login page. When email and password are entered on the text boxes on one of these pages, the spammer grabs and records your information and saves it.