Hezbollah Hackers Targeted Web Servers Using Unpatched Servers

Home/Targeted Attacks/Hezbollah Hackers Targeted Web Servers Using Unpatched Servers

Hezbollah Hackers Targeted Web Servers Using Unpatched Servers

Hackers group Lebanese Cedar attack unpatched Atlassian servers at telcoms, Hosting and ISPs providers.

Lebanese Cedar

A volatile hacker group “Lebanese Cedar” linked to Lebanese Hezbollah Cyber Unit, has more advanced technological skill than previously thought.

Over the past decade, companies in the US, UK, Egypt, Jordan, Lebanon, Israel have been targeted by this group.

Source : Clearsky

Israeli cybersecurity firm — ClearSky in a report on Thursday, found at least 250 web servers have been hacked by the group.

However, Lebanese Cedar group focus on collecting intelligence and stealing company databases with sensitive information.

In addition, the information includes:

  • client call records
  • and, private data in the case of telecommunications companies.

Attack Workflow:

Clearsky researchers said the attacks followed a simple pattern.

According to the researchers, threat actors used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers.

In follow, hackers performed exploits to gain access to the server and install a web shell for future access.

And, Web shells such as:

  • ASPXSpy
  • Caterpillar 2
  • Mamad Warning
  • and, an open-source tool named JSP file browser (which can also function as a web shell).

Source : Clearsky

After that, Lebanese Cedar deployed the payload of Explosive RAT into the victims’ network.

According to ClearSky, Lebanese Cedar is the only known threat actor that uses this code, which comes with capabilities to record keystrokes, capture screenshots, and execute arbitrary commands.

Clearsky said the hackers used three flaws in the servers such as:

  • CVE-2019-3396 in Atlassian Confluence 
  • CVE-2019-11581 in Atlassian Jira
  • CVE-2012-3152 in Oracle Fusion

Indicators Of Compromise:

ClearSky Lebanese Cedar report’s PDF contains data including indicators of compromise and more technical details.

Hash Values:

MD5File NameType
33AF1CD4585DA9ED804068B2A45FC8B4404.aspxCaterpillar 2
6BA944E9D3D96A46509204CD06EA2B11405.aspxCaterpillar 2
61F46FA93083D3A160AC8356FBC15722 Caterpillar 2 – ITSec Team
F30F2184ED83929CF96157BC91210DAAMamad.aspxMamad Warning
8ED3D1CADC4C2251EC606B9D6EB5D272Caterpillar 2
2D804386DE4073BAD642DFC816876D08Caterpillar 2
2ADF71947E977B85E269D5962243215C SharPyShell
2D804386DE4073BAD642DFC816876D08File Browser JSP
39887492C5C70977C0C0CF0AA0E7154Btest.jspFile Browser JSP
Explosive RAT
1316d35f6472eb323ae2c8b75199fbb5spmpm.dll syslib.tmpdll
3188df195d09ee38d89707501e330c2fdllhost.exe wvwupd.exeexe

IP Address:

  • 68.65.122[.]109
  • 74.208.73[.]149
  • 191.101.5[.]183
  • 198.101.242[.]72
  • 169.50.13[.]61
By | 2021-01-29T21:16:43+05:30 January 29th, 2021|Targeted Attacks|

About the Author:

FirstHackersNews- Identifies Security

One Comment

  1. Parbriz Peugeot Boxer Chassis Zct March 3, 2021 at 3:50 pm - Reply

    Greate article. Keep posting such kind of information on your site.

    Im really impressed by your site.
    Hello there, You’ve performed an incredible job. I’ll definitely
    digg it and in my view suggest to my friends. I am sure they will be benefited from this web site.

Leave A Comment

Subscribe to our newsletter to receive security tips everday!