Otto
Advanced
- Joined
- 22.09.20
- Messages
- 107
- Reaction score
- 380
- Points
- 63
The purpose of cybercriminals was to collect information and databases containing sensitive information.
The Lebanese Cedar cybercrime group, linked to the Lebanese militant organization Hezbollah, hacked a number of telecom operators and Internet service providers in the United States, Great Britain, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the United Arab Emirates and the Palestinian National Authority. The malicious operation, discovered by the specialists of the Clearsky information security company, started in early 2020 and lasted almost a year.
According to a new report by Clearsky, experts have found at least 250 web servers hacked by Lebanese Cedar. The purpose of cybercriminals was to collect information and databases containing sensitive information. In the case of telecommunications companies, it can be assumed that attackers could also gain access to call records and personal data of subscribers.
The attack follows a simple pattern. With the help of open-source hacking tools, Lebanese Cedar scans the Internet for un-updated Atlassian and Oracle servers. Then, using exploits, they gained access to them and installed web-shells to gain access to the internal systems of the attacked companies.
To hack the servers, the attackers exploited the following vulnerabilities:
CVE-2019-3396 in Atlassian Confluence;
CVE-2019-11581 in Atlassian Jira;
CVE-2012-3152 in Oracle Fusion.
After gaining access to these systems, the attackers deployed web wrappers such as ASPXSpy, Caterpillar 2, Mamad Warning, and an open source tool called JSP file browser (which can also play the role of a web wrapper).
In the internal networks, hackers installed a more powerful data theft tool called Explosive Remote Access Trojan (RAT), which is used exclusively in the attacks of Lebanese Cedar.
According to the researchers, the attackers made a mistake-they reused the files between the intrusions, which allowed experts to track the attacks around the world and link them to the Lebanese Cedar group.
Experts have identified 254 infected servers around the world, and 135 of them have the same hash as the files identified in the victim's network during the investigation of one of the incidents. The victims of hackers, in particular, were telecommunications companies Vodafone Egypt, Etisalat UAE, SaudiNet in Saudi Arabia and Frontier Communications in the United States.
The Lebanese Cedar cybercrime group, linked to the Lebanese militant organization Hezbollah, hacked a number of telecom operators and Internet service providers in the United States, Great Britain, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the United Arab Emirates and the Palestinian National Authority. The malicious operation, discovered by the specialists of the Clearsky information security company, started in early 2020 and lasted almost a year.
According to a new report by Clearsky, experts have found at least 250 web servers hacked by Lebanese Cedar. The purpose of cybercriminals was to collect information and databases containing sensitive information. In the case of telecommunications companies, it can be assumed that attackers could also gain access to call records and personal data of subscribers.
The attack follows a simple pattern. With the help of open-source hacking tools, Lebanese Cedar scans the Internet for un-updated Atlassian and Oracle servers. Then, using exploits, they gained access to them and installed web-shells to gain access to the internal systems of the attacked companies.
To hack the servers, the attackers exploited the following vulnerabilities:
CVE-2019-3396 in Atlassian Confluence;
CVE-2019-11581 in Atlassian Jira;
CVE-2012-3152 in Oracle Fusion.
After gaining access to these systems, the attackers deployed web wrappers such as ASPXSpy, Caterpillar 2, Mamad Warning, and an open source tool called JSP file browser (which can also play the role of a web wrapper).
In the internal networks, hackers installed a more powerful data theft tool called Explosive Remote Access Trojan (RAT), which is used exclusively in the attacks of Lebanese Cedar.
According to the researchers, the attackers made a mistake-they reused the files between the intrusions, which allowed experts to track the attacks around the world and link them to the Lebanese Cedar group.
Experts have identified 254 infected servers around the world, and 135 of them have the same hash as the files identified in the victim's network during the investigation of one of the incidents. The victims of hackers, in particular, were telecommunications companies Vodafone Egypt, Etisalat UAE, SaudiNet in Saudi Arabia and Frontier Communications in the United States.