Clearsky researchers linked the Lebanese Cedar APT group to a cyber espionage campaign that targeted companies around the world.
Clearsky researchers linked the Lebanese Cedar group (aka Volatile Cedar) to a cyber espionage campaign that targeted companies around the world.
The APT group has been active since 2012, experts linked the group to the Hezbollah militant group.
The activities of the group were first spotted by Check-Point and Kaspersky labs in 2015.
ClearSky experts linked the Lebanese Cedar group to intrusions at telco companies, internet service providers, hosting providers, and managed hosting and applications companies.
The attacks began in early 2020 and threat actors breached internet service providers in the US, the UK, Egypt, Israel, Lebanon, Jordan, the Palestinian Authority, Saudi Arabia, and the UAE.
“Based on a modified JSP file browser with a unique string that the adversary used to deploy ‘Explosive RAT’ into the victims’ network, we found some 250 servers that were apparently breached by Lebanese Cedar” reads the report published by the ClearSky. “We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years.”
Threat actors focus on intelligence gathering and the theft of sensitive data from targeted companies.
The Lebanese Cedar hackers used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers, then they used exploits to gain access to the server and deploy a web shell to gain a foothold in the target system.
“The group’s main attack vector is intrusion into Oracle and Atlassian WEB servers. We assess that the intrusion into these systems was done by exploiting known vulnerabilities in systems that were not patched and detecting loopholes using open-source hacking tools.” continues the report.
The attackers made regular use of critical 1-day vulnerabilities based on the vulnerable versions of the services in the compromised servers. The 1-day vulnerabilities exploited by the hackers are:
• Atlassian Confluence Server (CVE-2019-3396)
• Atlassian Jira Server or Data Center (CVE-2019-11581)
• Oracle 10g 11.1.2.0 (CVE-2012-3152)
Once breached the targeted systems, the hackers used multiple web shells, such as ASPXSpy, Caterpillar 2, Mamad Warning, to conduct multiple tasks. They also used a modified version of the open-source tool named JSP file browser to get web-based access and manipulate files stored on a remote server.
Once inside the target networks, the attackers deployed the Explosive remote access trojan (RAT), a malware exclusively used by the Lebanese Cedar group in past attacks.
The experts identified 254 infected servers worldwide, “135 of them shared the same hash as the files we identified in victim’ network during our investigation.”
Additional details about the campaigns are included in the analysis published by ClearSky, including Indicators of Compromise.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, APT)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Clearsky researchers linked the Lebanese Cedar APT group to a cyber espionage campaign that targeted companies around the world.
Clearsky researchers linked the Lebanese Cedar group (aka Volatile Cedar) to a cyber espionage campaign that targeted companies around the world.
The APT group has been active since 2012, experts linked the group to the Hezbollah militant group.
The activities of the group were first spotted by Check-Point and Kaspersky labs in 2015.
ClearSky experts linked the Lebanese Cedar group to intrusions at telco companies, internet service providers, hosting providers, and managed hosting and applications companies.
The attacks began in early 2020 and threat actors breached internet service providers in the US, the UK, Egypt, Israel, Lebanon, Jordan, the Palestinian Authority, Saudi Arabia, and the UAE.
“Based on a modified JSP file browser with a unique string that the adversary used to deploy ‘Explosive RAT’ into the victims’ network, we found some 250 servers that were apparently breached by Lebanese Cedar” reads the report published by the ClearSky. “We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years.”
Threat actors focus on intelligence gathering and the theft of sensitive data from targeted companies.
The Lebanese Cedar hackers used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers, then they used exploits to gain access to the server and deploy a web shell to gain a foothold in the target system.
“The group’s main attack vector is intrusion into Oracle and Atlassian WEB servers. We assess that the intrusion into these systems was done by exploiting known vulnerabilities in systems that were not patched and detecting loopholes using open-source hacking tools.” continues the report.
The attackers made regular use of critical 1-day vulnerabilities based on the vulnerable versions of the services in the compromised servers. The 1-day vulnerabilities exploited by the hackers are:
• Atlassian Confluence Server (CVE-2019-3396)
• Atlassian Jira Server or Data Center (CVE-2019-11581)
• Oracle 10g 11.1.2.0 (CVE-2012-3152)
Once breached the targeted systems, the hackers used multiple web shells, such as ASPXSpy, Caterpillar 2, Mamad Warning, to conduct multiple tasks. They also used a modified version of the open-source tool named JSP file browser to get web-based access and manipulate files stored on a remote server.
Once inside the target networks, the attackers deployed the Explosive remote access trojan (RAT), a malware exclusively used by the Lebanese Cedar group in past attacks.
The experts identified 254 infected servers worldwide, “135 of them shared the same hash as the files we identified in victim’ network during our investigation.”
Additional details about the campaigns are included in the analysis published by ClearSky, including Indicators of Compromise.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, APT)