Rewterz Threat Alert – Lebanese Cedar APT Targeting Organizations in Middle East and Beyond

Severity

High

Analysis Summary

Lebanese Cedar APT group is launching cyber-attacks in the Middle East and beyond. This cyberespionage campaign mainly targets telecommunication companies and ISPs. The Lebanese operation started in 2020, and spread beyond organizations in the Middle East to include targets in the U.S. and Europe. Targets of the cyberespionage campaign include several telecommunications firms, including Vodafone Egypt; ISPs, including Middle East Internet Company Ltd. of Saudi Arabia; as well as the Oklahoma Office of Management and Enterprise Services, which serves state agencies. The APT group apparently infected about 250 vulnerable web servers with malware, including a remote access Trojan, to steal data. It is suspected that the hacking group has ties to the Middle Eastern political and military group.

Unlike previous campaigns, the hackers have now shifted their focus to take advantage of vulnerable public-facing web servers, including those made by Atlassian and Oracle, as part of the initial attack. The vulnerabilities for which the hackers scan include CVE-2019-3396 in Atlassian Confluence server, CVE-2019-11581 in Atlassian Jira server and CVE-2012-3152 in Oracle’s Fusion server. Once the hackers compromise a vulnerable web server, they deploy malicious tools throughout the network, including several types of web shells, such as Caterpillar V2, which enables the attackers to move laterally and deploy additional tools for exfiltrating data. A hacking tool called JSP file browser gives the hackers the ability to deploy remote web-based file access and helps plant the custom designed “Explosive” RAT malware within infected networks. It has self-destruct capabilities as well as machine fingerprinting and memory monitoring functions. The RAT also communicates with command-and-control severs. A specific open-source JSP file browser was modified for the hackers’ purposes and payload of Explosive RAT was deployed into the victims’ network. Lebanese Cedar is the only known threat actor that uses this code.

Impact

• Unauthorized Remote Access
• Information Theft
• Network Compromise

Indicators of Compromise

MD5

• 09a0970bfc1bc8acec1ec609d8d98fda
• 1316d35f6472eb323ae2c8b75199fbb5
• 3188df195d09ee38d89707501e330c2f
• 39887492c5c70977c0c0cf0aa0e7154b
• 7d58573b98597a010597423652ae3394
• 8ac64a171736252b81c4a559df1f9bae
• 902bcc27ed86bc623e20532239895da7
• 93448b89c592985e22f60ab0d654787d
• a97fdcb6493c2012aeebdeef0e09625a

SHA-256

• c529f683821bc13bebed45bb1dd86eac922086a0b543ea44cf6f63b315f5fe75
• 6b7cd8e50b17d0b497ec963f50aaf29ae60ce7ff9f2835a501921ad7bd89cf9c
• 9f875c6f847408248532490628cdfb11b027ea3bde2bb6233155cfb57a71720a
• 535c3aa244bb87e69a2f4167dd36c5ddb3951ba0896feb304c1276f103f3ee83
• dd6304040daef89a4648e35def979299881ddd9854747c7d29a65407bc8c3e41
• ff317d2132d71f8fd4f8e60832c229abd1707e81dfee031df7a0d0230883c653
• fe13534b5f4d29e7f2edc32aa800312a40b8c453125d7db37e14576d97a10bda
• 166e9b4db43647e35a5e93cad793e1ba6d695425101e07a3619c90b6d364f601
• 3eb46082066fc50d925f817cbc10c08bebeea373e3bb2d842816ba311acc7e50

SHA1

• efe4f82bde8f6e2a32a849bf0d6a6a2f84bb7068
• 76b1665f2cc4b434ff1dcccf2a069772a431b689
• 481f7e67fa6c729a672878af66638adf07e1b6bd
• bffb7327f4d2e9fbe171ef9e84705b292296f8d3
• 157f778e8e1d8a18a1ee26294268f0cd1d489393
• fa5f614edb9310771308c1be253997a594923dce
• 898f9a6c3f952afa2e988419549851106b3758a8
• 15392d42b3a39dcf17bf251bfd5f9c3dbead374d
• 7abfd9bd84e90b0458a285cdc6f58bffa637f86c

Source IP

• 169[.]50[.]13[.]61

Remediation

• Block the threat indicators at their respective controls.
• Keep all systems, software and servers patched against all known vulnerabilities.