Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Moses Staff Hackers Wreak Havoc on Israeli Orgs with Ransomless Encryptions

Moses Staff Hackers Wreak Havoc on Israeli Orgs with Ransomless Encryptions

A new hacker group named Moses Staff has recently claimed responsibility for numerous attacks against Israeli entities, which appear politically motivated as they do not make any ransom payment demands.

The threat actors have repeatedly caused damage to Israeli systems in the past couple of months, infiltrating networks and encrypting files, and then leaking the stolen copies to the public.

As such, the group’s apparent motive is to cause maximum operational disruption and damage to its targets by exposing corporate secrets and other sensitive information via dedicated data leaks sites, Twitter accounts, and Telegram channels.

Also Read: PDPA Compliance for HR Managers in Singapore: A Must

Publicly available info

Researchers at Check Point have published a detailed report today on Moses Staff, looking into the techniques, infection chain, and the toolset used by the actor.

Moses Staff appears to be using publicly available exploits for known vulnerabilities that remain unpatched on public-facing infrastructure.

For example, the hacking group has been targeting vulnerable Microsoft Exchange servers that have been under exploitation for months now, yet many deployments remain unpatched.

After successfully breaching a system, the threat actors will laterally move through the network with the help of PsExec, WMIC, and Powershell, so no custom backdoors are used.

The actors eventually use a custom PyDCrypt malware that utilizes the DiskCryptor, an open-source disk encryption tool available on GitHub, to encrypt devices.

Moses Staff Infection chain
MosesStaff Infection chain
Source: CheckPoint

Weak encryption scheme

CheckPoint explains that the encrypted files can be restored under certain circumstances, as the encryption scheme uses symmetric key generation when encrypting devices.

Also Read: 5 Workplace Tips: Protecting Information on Mobile Devices

PyDCrypt generates unique keys for every hostname based on MD5 hash and crafted salt. If the PyDCrypt copy used in the attack is retrieved and reversed, the hashing function can be derived.

Replicating the attack parameters for decryption
Replicating the attack parameters for decryption
Source: CheckPoint

This is possible in many cases where the self-deletion of the ransomware hasn’t worked or was disabled in the configuration.

In general, Moses Staff isn’t putting much effort into this aspect of their operation, as the main thing they aim for is to cause chaos in the targeted Israeli operation and not to ensure that the encrypted drives are irrecoverable.

Political motivation

Although the actor is new by name, it may have links to ‘Pay2Key‘ or ‘BlackShadow,’ who have the same political motivation and targeting scope.

“In September 2021, the hacker group Moses Staff began targeting Israeli organizations, joining a wave of attacks which was started about a year ago by the Pay2Key and BlackShadow attack groups,” the researchers explain in their report.

“Those actors operated mainly for political reasons in attempt to create noise in the media and damage the country’s image, demanding money and conducting lengthy and public negotiations with the victims.”

The group has a vocal presence on social media, a Tor data leak site, and a Telegram channel, all used to publish stolen data in as many channels as possible to maximize damage.

MosesStaff boasting on Twitter
Moses Staff boasting on Twitter

So far, analysts haven’t been able to attribute Moses Staff to any particular geographic location or whether they are a state-sponsored group. 

However, one of the malware samples used in Moses Staff attacks was uploaded to VirusTotal from Palestine a few months before the attacks began.

“Although this is not a strong indication, it might betray the attackers’ origins; sometimes they test the tools in public services like VT to make sure they are stealthy enough,” explains Check Point.

As Moses Staff attacks use old vulnerabilities that have available patches, Check Point advises all Israeli entities to patch their software to help prevent attacks.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us