Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your networkā€™s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystemā€™s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

Hezbollah Hackers Attack Unpatched Atlassian Servers At Telcos, ISPs

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj

Hezbollah Hackers Attack Unpatched Atlassian Servers At Telcos, ISPs

Volatile Cedar, an advanced hacker group believed to be connected to the LebaneseĀ Hezbollah Cyber Unit, has been silently attacking companies around the world in espionage operations.

The threat actor likely accessed more than 250 Oracle and Atlassian servers belonging mainly to organizations providing mobile communications and internet-based services.

Also known as Lebanese Cedar, the actor has been active since at least 2012 but fell of the researchersā€™ radar in 2015. Their operations resurfaced in early 2020 with what security researchers call the BeardStache global campaign, which may have compromised hundreds of companies.

Recon and exploitation

In aĀ reportĀ today, cybersecurity company ClearSky says that Lebanese Cedar seems to focus on collecting intelligence and stealing company databases with sensitive information – such as client call records and private data in the case of telecommunications companies.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

According to the researchers, the threat actor makes reconnaissance efforts to select their victims and relies on public tools to find them. They useĀ URI Brute Force tools (GoBuster and DirBuster) to look for open directories that could allow a web shell injection.

Lebanese Cedar looks for unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion Middleware servers. The vulnerabilities exploited areĀ CVE-2019-3396, CVE-2019-11581, andĀ CVE-2012-3152.

The geography of the latest batch of victims varies from the Middle East to America and Europe, comprising the United States, the United Kingdom, Egypt, Saudi Arabia, Jordan, United Arab Emirates, and the Palestinian National Authority.

Keeping a low profile

ClearSky says that the group may have been active over the past five years but its operations remained unnoticed due to adopting new tactics, techniques, and procedures.

According to the security firm, Lebanese Cedar was able to keep a low profile by:

  • using common web shell utilities as the main hacking tool and rarely relying on other tools, which hindered attribution
  • shifting the initial point of access from computers to a victimā€™s network, and later to vulnerable servers exposed to the public internet
  • keeping operations so far apart that researchers monitoring them switched their focus to other, more recent threats

The researchers started to investigate after finding suspicious network activities and hacking tools on the systems of multiple companies. A closer look revealed a new version of the Explosive RAT – aĀ remote access tool linked to Volatile CedarĀ – and the the ā€œCaterpillarā€ web shell.

Also Read: Letter of Consent MOM: Getting the Details Right

ā€œā€™Caterpillar WebShellā€™ was found in most of the victims we investigated, in many of the systems we also found traces of ā€œExplosiveā€ RAT. We identified the specific open-sourceĀ JSP file browserĀ that was modified for the hackersā€™ purposes. We found that Lebanese Cedar deployed the payload of Explosive RAT into the victimsā€™ network. Lebanese Cedar is the only known threat actor that uses this codeā€ –Ā ClearSky

During incident response engagements, the company found two JSP files on victimsā€™ servers, added on various dates between January 2019 and August 2020. The files had been installed at the same time on multiple ports that redirect to an Oracle server.

ClearSky warns that the Oracle servers accessed by Lebanese Cedar are still open and are easy targets for other hackers looking to attack the networks of multiple telecom providers or gain access to the files available.

The researchers sayĀ that Lebanese Cedar combines open-source tools with custom ones, their current toolset including a full blown web shell, a custom RAT, and ā€œcarefully selected complementary tools, including URI brute force tools.ā€

ClearSkyĀ describes Lebanese Cedar as an actor that has the capability to develop their tools and orchestrateĀ “sophisticated, well-designed attacks” without drawing attention to their operations. The clever selection of tools, tactics, and attack vectors allows them to pass unnoticed.

The company’sĀ reportĀ provides complete technical details about the attacks investigated and indicators of compromise that include some of the original servers used by the hackers.

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protectionā€‹

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us