Security firm Clearsky identified at least 250 servers hacked by Lebanese Cedar.
The threat actor known as Lebanese Cedar that has been affiliated to Hezbollah was linked to intrusions at telco operators and internet service providers in the US, the UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority, and the UAE.
The year-long hacking campaign which began in early 2020 was discovered by Israeli cyber-security firm Clearsky. According to a report published by the security firm, they have identified at least 250 web servers that have been hacked by the Lebanese Cedar group.
The attacks were believed to be aimed to gather intelligence and steal the company’s databases, containing sensitive data. As it is the telecommunication companies, the accessed databases contain call records and private data of clients.
ATLASSIAN AND ORACLE SERVERS TARGETED
The Clearsky researchers said that the attacks followed a simple pattern. The threat operators used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers, after which they deployed exploits to get access to the server and install a web shell for future access.
The group then used these web shells to attack the company’s internal network, from where they exfiltrated private documents.
In order to attack the internet-facing servers, the hackers used vulnerabilities such as:
- CVE-2019-3396 in Atlassian Confluence
- CVE-2019-11581 in Atlassian Jira
- CVE-2012-3152 in Oracle Fusion
After getting access to these systems, the attackers deployed web shells, such as ASPXSpy, Caterpillar 2, Mamad Warning, and an open-source tool named JSP file browser.
The attackers deployed a more powerful tool on the internal networks which is the Explosive remote access trojan (RAT) tool that is specialized in data exfiltration.
Clearsky was able to link the attacks to Hezbollah’s cyber unit because Explosive RAT was a tool that was until now exclusively used by the Lebanese Cedar group.
The researchers also said that attackers made mistakes in their operation and often reused files between intrusions. This let them to track the attacks across the globe and link them to the group. They have identified 254 infected servers worldwide, 135 of them shared the same hash as the files identified in a victim’ network during their investigation.