A “persistent attackers group” with alleged links to Hezbollah has retrofitted its malware software arsenal with a new version of Remote Access Trojan (RAT) to break into companies around the world and extract valuable information.
In a new report released by ClearSky’s research team on Thursday, the Israeli cybersecurity company said it has identified at least 250 public-facing web servers since early 2020 that have been hacked by the intelligence-threat actor and stealing company databases.
The orchestral interventions hit a series of companies in the US, UK, Egypt, Jordan, Lebanon, Saudi Arabia, Israel, and the Palestinian Authority, with the majority of victims representing telecom operators (Etisalat, Mobily, Vodafone Egypt), internet service providers (SaudiNet, TE Data), and hosting and infrastructure service providers (Secured Servers LLC, Iomart).
First documented in 2015, Exchangeable Cedar (or Lebanese Cedar) is known to penetrate a large number of targets using various attack techniques, including custom-made malicious software implant codenamed Explosives.
In the past, Mutual Cedar was suspected of Lebanese origin – specifically the Hezbollah cyber unit – in connection with a cyberespionage campaign in 2015 that targeted military suppliers, telecommunications companies, media outlets, and universities.
The 2020 attacks were no different. The hacking activity uncovered by ClearSky matched operations attributed to Hezbollah based on code overlap between the 2015 and 2020 variants of the Explosive RAT, used on victim networks by exploiting known 1-day vulnerabilities in unmatched Oracle and Atlassian web servers .
Using the three server flaws (CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152) as an attack vector to gain initial foothold, the attackers injected a web shell and a JSP file browser, both of which were used of them to move laterally across the network, retrieve additional malicious software, and download the Explosive RAT, which comes with capabilities to record key hits, capture screenshots, and execute arbitrary commands.
“The web shell is used to perform various spyware operations over the attacked web server, including possible asset location for further attacks, file installation server configuration and more,” the researchers noted, but not before having advanced privileges to perform ‘ r tasks and transfer the results to a command and control server (C2).
In the five years since the Explosive RAT was first seen, ClearSky said new anti-debugging features were added to the implant in its latest iteration (V4), with the communications between the machine under threat and the C2 server is now encrypted.
While it is no surprise that threat actors keep a low profile, the fact that Lebanese Cedar has managed to remain hidden since 2015 without attracting any attention at all suggests that the group may have stopped operations for long periods between avoiding detection.
ClearSky noted that the group’s use of a web shell as its main hacking tool could have been instrumental in guiding researchers to a “dead end in attribution.”
“Lebanon Cedar has shifted its focus significantly. Initially they attacked computers as a starting point of entry, then moved on to the victim network and then moved further (sic) to target vulnerable, public-facing web servers , “the researchers added.