It is a fact that hackers from Hezbollah and Hamas have carried out successful cyberattacks against Israel including hacking security cameras installed in government buildings or Hamas hacking smartphones of IDF soldiers using seductive images.
In the latest report published by Israeli cybersecurity firm ClearSky, it has been revealed that an APT group affiliated with Hezbollah Cyber Unit, called Volatile Cedar or Lebanese Cedar has been targeting countries around the world including Israel, United Kingdom, and Saudi Arabia.
Volatile Cedar- The Emerging Threat
According to ClearSky, the APT group has developed a new version of Explosive malware RAT [PDF] (remote access trojan) and stealthily hacking businesses worldwide by stealing sensitive data like call records, intelligence information, etc.
The group also frequently performs espionage operations while in case its target is a telecom firm, their aim is to steal private data, claims ClearSky.
“In case of telecommunication companies, one can assume that databases containing call records and private data of clients were accessed as well,” ClearSky researchers stated in a report [PDF].
Volatile Cedar Active Since 2012
This group has been active since 2012 but was detected by cybersecurity researchers in 2015. In early 2020, their malicious operations resurfaced with a bang with a global campaign dubbed BeardStache by security researchers.
The group uses a variety of attack techniques, such as a custom-made malware implant called Explosive.
In 2015, the group was involved in a massive cyberespionage operation targeting telecom firms, universities, military suppliers, and media outlets. The attacks launched in 2020 were no different. According to ClearSky, their hacking activities matched the traits of Hezbollah operations.
Over 250 Oracle and Atlassian Servers Accessed
Volatile Cedar has so far accessed over 250 public-facing Oracle and Atlassian servers linked to companies offering internet-based and mobile communication services. The attackers used Explosive RAT variants that are deployed on the targeted networks by exploiting already known 1-day vulnerabilities in unpatched Atlassian and Oracle.
Additionally, the group utilizes the servers’ flaws, classified as CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152, as their attack vector to obtain an initial foothold. They inject a web shell and a JSP file browser to laterally move across the network and install additional malware along with downloading Explosive RAT.
According to researchers, the malware can perform various tasks such as recording keystrokes, capturing screenshots, and executing arbitrary commands.
“Lebanese Cedar has shifted its focus significantly. Initially, they attacked computers as an initial point of access, then progressed to the victim’s network then further progressing (sic) to targeting vulnerable, public-facing web servers,” researchers noted.
Furthermore, the attackers have added anti-debugging features to the implant’s latest iteration, and the communication between the infected device and the C&C server is now encrypted, concluded ClearSky
The impacted firms are located in the:
- United Kingdom
- United States
- Saudi Arabia
- The Palestinian Authority.
Victims include telecom operators such as:
Vodafone Egypt, Mobily, and Etisalat, internet service providers like TE Data and SaudiNet, and infrastructure/hosting service providers including Iomart Cloud Services Limited and Secured Servers LLC.