The aim of cybercriminals was to collect information and databases containing sensitive information.
Cybercriminal group Lebanese Cedar, affiliated with the Lebanese paramilitary organization Hezbollah, has hacked a number of telecom operators and Internet service providers in the United States, the United Kingdom, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the United Arab Emirates and the Palestinian National Authority. The malicious operation discovered by the specialists of the information security company Clearsky started in early 2020 and lasted almost a year.
According to a new Clearsky report , at least 250 web servers hacked by Lebanese Cedar have been found. The aim of cybercriminals was to collect information and databases containing sensitive information. In the case of telecommunications companies, it can be assumed that attackers could also gain access to call records and personal data of subscribers.
The attack follows a simple scheme. Using open source hacking tools, Lebanese Cedar is crawling the Internet for non-updated Atlassian and Oracle servers. Then, using exploits, they got access to them and installed web shells to gain access to the internal systems of the attacked companies.
To hack servers, the attackers exploited the following vulnerabilities:
CVE-2019-3396 at Atlassian Confluence;
CVE-2019-11581 at Atlassian Jira;
CVE-2012-3152 in Oracle Fusion.
After gaining access to these systems, attackers deployed web shells such as ASPXSpy, Caterpillar 2, Mamad Warning, and an open source tool called the JSP file browser (which can also act as a web shell).
On internal networks, hackers installed a more powerful data-stealing tool called the Explosive Remote Access Trojan (RAT), which is used exclusively in Lebanese Cedar attacks.
According to the researchers, the attackers made the mistake of reusing files between intrusions, which allowed experts to track attacks around the world and link them to the Lebanese Cedar group.
Experts have identified 254 infected servers around the world, and 135 of them have the same hash as the files identified on the victim's network during the investigation of one of the incidents. Telecommunications companies Vodafone Egypt, Etisalat UAE, SaudiNet in Saudi Arabia and Frontier Communications in the United States have become victims of hackers.