apt attack

“Lebanese Cedar” APT Analysis

Introduction

The researchers are associated with the Lebanese Cedar APT organization (also known as Volatile Cedar) in cyber espionage against global companies . The organization has been active since 2012 and was first disclosed by Kaspersky in 2015. Experts linked it to the Hezbollah armed organization.

clip_image001

Event Schedule

The researchers associated the organization with intrusions from telecommunications companies, Internet service providers, hosting service providers, and application companies. The attack started in early 2020. The attackers compromised government agencies in the United States, Britain, Egypt, Israel, Lebanon, Jordan, Palestine, and Internet service providers in Saudi Arabia and the UAE. The attacker’s goal is to gather intelligence and steal sensitive data from the target company.

Attackers use open source hacking to scan unpatched Atlassian and Oracle servers on the Internet, and then use vulnerabilities to access the servers and deploy Web Shell to gain a foothold in the target system. According to the vulnerable version of the service in the infected server, the exploited the following vulnerabilities:

• Atlassian Confluence server (CVE-2019-3396)
• Atlassian Jira server or data center (CVE-2019-11581)
• Oracle 10g 11.1.2.0 (CVE-2012-3152)

Once the target system is compromised, the hacker uses multiple Web Shells (such as ASPXSpy, Caterpillar 2, Mamad Warning) to perform multiple tasks. They also used a modified version of an open source tool called JSP File Explorer to gain web-based access and manipulate files stored on remote servers.

clip_image002

Modified JSP file browser-all over the world

Once inside the target network, the deployed the Explosive Remote Access Trojan (RAT), a specially crafted malware used by the Lebanese Cedar organization in past attacks.

At present, 254 infected servers around the world have been identified, of which 135 files identified in the victim’s network have the same hash value.

IOCs

68.65.122[.]109
74.208.73[.]149
191.101.5[.]183
198.101.242[.]72
169.50.13[.]61

33AF1CD4585DA9ED804068B2A45FC8B4
6BA944E9D3D96A46509204CD06EA2B11
61F46FA93083D3A160AC8356FBC15722
150DC0141B8A0010BB5A82419B3293EB
7D58573B98597A010597423652AE3394
F30F2184ED83929CF96157BC91210DAA
8ED3D1CADC4C2251EC606B9D6EB5D272
2D804386DE4073BAD642DFC816876D08
2ADF71947E977B85E269D5962243215C
93448B89C592985E22F60AB0D654787D
2D804386DE4073BAD642DFC816876D08
39887492C5C70977C0C0CF0AA0E7154B
a97fdcb6493c2012aeebdeef0e09625a
1316d35f6472eb323ae2c8b75199fbb5
09a0970bfc1bc8acec1ec609d8d98fda
fef76a8027e07c7a51b312a26c488653
902bcc27ed86bc623e20532239895da7
8ac64a171736252b81c4a559df1f9bae
65954b4c60031fb857a09761497ff641
4147d6beb17b507a5df345dae5f15c41
544fdcce998fc7f4bb2914b3ec5b4761
1aebf9d07fe6e82d97e062cdbe656a36
5d1f75bfc7cbd96891f26b1041fd5994
b54346cdaf9556eb88f3d95e0bad2be5
1aebf9d07fe6e82d97e062cdbe656a36
e9f0260409c6c964985fa4df926d7e04
3188df195d09ee38d89707501e330c2f
481f7e67fa6c729a672878af66638adf07e1b6bd
157f778e8e1d8a18a1ee26294268f0cd1d489393
15392d42b3a39dcf17bf251bfd5f9c3dbead374d
bffb7327f4d2e9fbe171ef9e84705b292296f8d3
7abfd9bd84e90b0458a285cdc6f58bffa637f86c
76b1665f2cc4b434ff1dcccf2a069772a431b689
efe4f82bde8f6e2a32a849bf0d6a6a2f84bb7068
898f9a6c3f952afa2e988419549851106b3758a8
fa5f614edb9310771308c1be253997a594923dce
9f875c6f847408248532490628cdfb11b027ea3bde2bb6233155cfb57a71720a
dd6304040daef89a4648e35def979299881ddd9854747c7d29a65407bc8c3e41
166e9b4db43647e35a5e93cad793e1ba6d695425101e07a3619c90b6d364f601
535c3aa244bb87e69a2f4167dd36c5ddb3951ba0896feb304c1276f103f3ee83
3eb46082066fc50d925f817cbc10c08bebeea373e3bb2d842816ba311acc7e50
6b7cd8e50b17d0b497ec963f50aaf29ae60ce7ff9f2835a501921ad7bd89cf9c
c529f683821bc13bebed45bb1dd86eac922086a0b543ea44cf6f63b315f5fe75
fe13534b5f4d29e7f2edc32aa800312a40b8c453125d7db37e14576d97a10bda
ff317d2132d71f8fd4f8e60832c229abd1707e81dfee031df7a0d0230883c653