Lebanese Cedar APT group broke into telco and ISPs worldwide

Clearsky researchers linked the Lebanese Cedar APT group to a cyber espionage campaign that targeted companies around the world.

Clearsky researchers linked the Lebanese Cedar group (aka Volatile Cedar) to a cyber espionage campaign that targeted companies around the world.

The APT group has been active since 2012, experts linked the group to the Hezbollah militant group.

The activities of the group were first spotted by Check-Point and Kaspersky labs in 2015.

ClearSky experts linked the Lebanese Cedar group to intrusions at telco companies, internet service providers, hosting providers, and managed hosting and applications companies.

The attacks began in early 2020 and threat actors breached internet service providers in the US, the UK, Egypt, Israel, Lebanon, Jordan, the Palestinian Authority, Saudi Arabia, and the UAE.

“Based on a modified JSP file browser with a unique string that the adversary used to deploy ‘Explosive RAT’ into the victims’ network, we found some 250 servers that were apparently breached by Lebanese Cedar” reads the report published by the ClearSky. “We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years.”

Threat actors focus on intelligence gathering and the theft of sensitive data from targeted companies.

The Lebanese Cedar hackers used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers, then they used exploits to gain access to the server and deploy a web shell to gain a foothold in the target system.

“The group’s main attack vector is intrusion into Oracle and Atlassian WEB servers. We assess that the intrusion into these systems was done by exploiting known vulnerabilities in systems that were not patched and detecting loopholes using open-source hacking tools.” continues the report.

The attackers made regular use of critical 1-day vulnerabilities based on the vulnerable versions of the services in the compromised servers. The 1-day vulnerabilities exploited by the hackers are:

• Atlassian Confluence Server (CVE-2019-3396)
• Atlassian Jira Server or Data Center (CVE-2019-11581)
• Oracle 10g 11.1.2.0 (CVE-2012-3152)

Once breached the targeted systems, the hackers used multiple web shells, such as ASPXSpy, Caterpillar 2, Mamad Warning, to conduct multiple tasks. They also used a modified version of the open-source tool named JSP file browser to get web-based access and manipulate files stored on a remote server.

Once inside the target networks, the attackers deployed the Explosive remote access trojan (RAT), a malware exclusively used by the Lebanese Cedar group in past attacks.

The experts identified 254 infected servers worldwide, “135 of them shared the same hash as the files we identified in victim’ network during our investigation.”

Additional details about the campaigns are included in the analysis published by ClearSky, including Indicators of Compromise.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]