Clearsky researchers linked the Lebanese Cedar group (aka Volatile Cedar) to a cyber espionage campaign that targeted companies around the world active since 2012 intruding in to telecoms and ISP providers world wide

The attacks began in early 2020 and threat actors breached internet service providers in the US, the UK, Egypt, Israel, Lebanon, Jordan, the Palestinian Authority, Saudi Arabia, and the UAE.

Threat actors focus on intelligence gathering and the theft of sensitive data from targeted companies deploying Explosive RAT via JSP files through browsers

The Lebanese Cedar hackers used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers, then they used exploits to gain access to the server and deploy a web shell to gain a foothold in the target system.

The attackers made regular use of critical 1-day vulnerabilities based on the vulnerable versions of the services in the compromised servers. The 1-day vulnerabilities exploited by the hackers are:

• Atlassian Confluence Server (CVE-2019-3396)
• Atlassian Jira Server or Data Center (CVE-2019-11581)
• Oracle 10g 11.1.2.0 (CVE-2012-3152)

Once breached the targeted systems, the hackers used multiple web shells, such as ASPXSpy, Caterpillar 2, Mamad Warning, to conduct multiple tasks. They also used a modified version of the open-source tool named JSP file browser to get web-based access and manipulate files stored on a remote server.

The experts identified 254 infected servers worldwide, 135 of them shared the same hash as the files we identified in victim’ network during our investigation.