A newly detected persistent threat attack group with probable ties to Hezbollah has been using a ‘retooled’ version of its malware with a new version of remote access trojan or RAT to penetrate organisations’ cyber defences worldwide aiming to exfiltrate valuable data.
On a recent report published by a security research team last Thursday, the firm has identified at least 250 public web servers starting early 2020 that was successfully hacked by the threat actor group to gain intelligence and steal databases.
The detected intrusion attacks hit companies and organisations located in the UK, US, Saudi Arabia, Israel, Egypt, Jordan, Lebanon and the Palestinian Authority. A majority of victims are related or representing a telecommunication operator, internet service providers and hosting and cloud infrastructure services provider.
This kind of attack was first documented in 2015. The Volatile Cedar or Lebanese Cedar is known to penetrate large numbers of targets utilising various cyberattack techniques, including a custom-coded malware code named Explosive.
Volative Cedar has been suspected to originate from Lebanon, specifically the Hezbollah hacking group – they have been linked with the 2015 cyberespionage campaign that targeted telecom companies, media new outlets, universities and military suppliers.
The most recent attacks were no different from their previous campaigns. The detected hacking activity by cybersecurity researchers has matched Hezbollah’s attributes based on code similarities of 2015 to 2020 variants of Explosive remote access tool malware which gets deployed within the victim’s networks and servers by vulnerability exploiting of unpatched Atlassian and Oracle web servers.
By using the three known flaws on an unpatched server (CVE-2019-3396, CVE-2019-11581 and CVE-2012-3152) as an attack vector to establish the attack, the hacking group will then inject a web shell script and JSP file browser that will be used to spread across the network, update for additional malware, download the Explosive RAT that comes with the ability to capture keystrokes and screenshots and execute remote commands.
Threat actors keeping a low profile after an attack is not surprising. Still, the fact that the Lebanese Cedar stayed hidden since 2015 while avoiding any attention implies that they have ceased operations to prevent detection.