Posted on January 30, 2021 at 1:34 PM
Lebanese Cedar, a group affiliated with the Hezbollah hacking syndicate, has been linked with the breach of internet service providers (ISPs) and atlas telco operators, across several countries. The group has been discovered hacking these organizations in countries such as the U.S., Palestinian Authority, the UAE, Jordan, Egypt, Israel, Saudi Arabia, the UK, and Lebanon.
ClearSky Security researchers stated that they found hacking tools and irregular network activities in a wide range of companies earlier in 2020. But the hackers have been operating under the radar for the past five years
Although no concrete evidence links Cedar to the Hezbollah Cyber Unit, the ClearSky security researchers said their research shows there is an undeniable link between the two.
The security company also confirmed it identified about 250 servers the Lebanese Cedar has hacked over the years.
In a report published today, the security firm said it identified at least 250 web servers that have been hacked by the Lebanese Cedar group.
Clearsky also stated that the hackers stole sensitive data from companies all over the world.
“It seems that the attacks aimed to gather intelligence and steal the company’s databases, containing sensitive data,” ClearSky stated.
Hackers infected victims’ Oracle servers
The group is notorious for its carefully managed, selectively targeted, and highly invasive hacking approach. Clearsky stated that the group’s tactics are the same with threat actors that are usually founded by political groups or nation-states.
A new version of the “Caterpillar” V2 WebShell or the remote access tool known as “Explosive” V4 RAT was discovered in the targeted networks. The security researchers also disclosed the open-source JPS file browser that was updated to suit the threat actors’ hacking plans. According to the report, the code is synonymous with only the Lebanese Cedar hacking group.
The files were installed on the Oracle servers of the victim, which exposed them to the threat actors, who installed new malicious files on their server. Most of the targeted and affected victims were from applications, communication, and hosting, as well as telecommunications and IT companies.
The list of targeted companies from when they started operation is long. They include Etisalat telecommunications in the UAE, Mobily in Saudi Arabia, Jordanian Universities Network LL.C, Hadara in Palestinian authority, Secured Servers LLC in the US, and Vodafone in Egypt.
There may be many more companies that have been hacked without the victimized company having any clue about it. In most of the hacking incidences, the hackers kept their malware in the companies’ servers for years as the malware collects new information.
Attacks followed a simple pattern
The ClearSky analysts have assumed how the Lebanese Cedar hackers have remained under the radar while sealing sensitive company data for many years.
The security researchers stated that the hacking group could have utilized a common web-based shell-like interface to gain remote access.
The ClearSky researchers stated that the attacks followed a simple pattern, as the hackers utilized open-source hacking tools to scan for vulnerable Oracle and Allassian servers. After succeeding to locate their targets, they developed exploits to the targeted servers and planted web shells for access in the future.
The threat actors used vulnerabilities such as CVE-2012-3152 in Oracle Fusion and CVE-2019-11581 in Atlassian Jira to launch attacks on the internet-facing servers. After gaining access to the targeted systems, they planted their web shells such as JSP file browser, Marmad Warning, Caterpillar 2, and ASPXSpy.
Another explanation is that the Lebanese Cedar hackers changed their focus and hacking target. When the group started operations, they initially used computers as their access points. However, the group started targeting network, before moving to public-facing web servers.
ClearSky researchers said the Oracle web server is the most commonly targeted server by the group.
Also, the hacking syndicate has periods they stayed under the radar without launching any attack. Based on the observation, their periods of inactivity were probably used to develop or upgrade their hacking tools to remain more potent.
ClearSky also discovered that the hacking syndicate utilized a highly selective hacking method, which is an indication of extensive reconnaissance.