Lebanese Cedar

Lebanese Cedar, aka Volatile Cedar, is a Lebanese APT that was linked to the Hezbollah, was first discovered by Check Point researchers and Kaspersky labs in 2015. According to Check Point researchers, the APT has been operating since at least 2012.

In January 2021, ClearSky researchers published a report regarding the latest campaign related to Lebanese Cedar which started in early 2020. According to the researchers, this APT targeted the telecommunication sector and internet service providers in the US, the UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, UAE as well as in the Palestinian Authority.

In this campaign, Lebanese Cedar operators used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers. They deployed exploits to gain access to these servers and installed a web shell for future access. In order to attack the internet-facing servers, the hackers used these vulnerabilities:

  • CVE-2019-3396 in Atlassian Confluence
  • CVE-2019-11581in Atlassian Jira
  • CVE-2012-3152 in Oracle Fusion

Once they gained access to these systems, the attackers deployed web shells in order to gain access to their victim's internal networks. On the internal networks, the attackers deployed a more powerful tool named the Explosive remote access trojan (RAT), a tool that specializes in data exfiltration and which they also used in 2015: https://news.softpedia.com/news/Explosive-Malware-Used-by-Cyber-Espionage-Group-Working-from-Lebanon-477220.shtml.

Explosive RAT has both passive collection methods and on-demand capabilities. Once installed, the tool continuously runs a keylogger and a clipboard logger, which transmit the results to the C&C server. In addition, Explosive has a wide array of options that can be activated by a C&C command, including a variety of data theft and machine fingerprinting capabilities, stealth and self-destruction functions, proliferation options, and a remote shell. The creators of Explosive went to great lengths to assure operational stealth to protect against exposure, including memory usage monitoring, process listing, and more.

Suspicious DNS Request - Lebanese Cedar Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
Suspicious Process - Lebanese Cedar Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - Lebanese Cedar Related Domain Observed

Description

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004