Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2015
08:59 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Lebanon Believed Behind Newly Uncovered Cyber Espionage Operation

Middle East, US, and other targets hit in nearly three-year-old 'Volatile Cedar' cyber attack campaign.

Add Lebanon to the list of nations seen actively conducting cyber espionage.

Researchers from Check Point Software Technologies today revealed a cyber spying attack campaign that's been underway since 2012, mainly against Israeli and other Middle Eastern targets in Lebanon and Turkey, but also in the US, Canada, Japan, Peru, and the UK and other countries. The attack campaign, which Check Point researchers believe is the handiwork of a nation-state group out of Lebanon, has infected hundreds of victims in the defense, telecommunications, media, and education sectors.  

Shahar Tal, head of malware & vulnerability research at Check Point, says several clues point to Lebanon's involvement, including trends in its targets as well as its command and control infrastructure with ties to Lebanon.  Check Point has dubbed the campaign "Volatile Cedar."

"We also saw an OPSEC fail: one of the registered domains for a brief time before it went operational, pointed at a real identity," Tal says. "That led us to a social media account ... and very clearly it was [associated with] Lebanese political activism."

Command and control servers used for its malware also were seen being hosted at a major hosting company in Lebanon, and several of the servers were registered with a Lebanese address, according to Check Point.

Like most cyber spying operations, Volatile Cedar is all about stealing sensitive information for political or intelligence gain. The attackers use custom-written malware code-named Explosive, a data-stealing Trojan that can steal files, log keystrokes and screenshots, as well as run commands.

This is not the first time Lebanon has been tied to cyber spying: FireEye early last month revealed that it had uncovered attacks by pro-Assad government hackers against Syrian government opposition plans and players that scored the attackers a treasure trove of sensitive information and details on opposition forces. The researchers cited a definite Lebanese connection in the attacks, and a user in Lebanon was spotted uploading test versions of the malware launcher used in the attacks. In addition, the catfishing technique used by the attackers on social media to lure their targets included references to Lebanon by the phony female avatars who duped the victims.

Tal says Volatile Cedar is unrelated to the operation exposed by FireEye, and is yet another example of how most major governments now employ cyber spying operations. "It's not surprising that most governments or political groups are working on developing their capabilities in the cyber realm," he says.

The Lebanese cyber espionage team does not, however, deploy the standard spearphish as its initial attack vector like many other nation-state attacks do. The attackers instead hack into the public websites of their victims--in many cases, manually--and then pivot from there. "Then they hack their way through the internal network," Tal says. "They also use an auto-USB mechanism, where a USB device is inserted and every executable on it is getting the Explosive attachment in hopes of moving laterally."

The attackers first scan for vulnerabilities in the target's Web server. Once they detect a flaw, they exploit it to inject web shell code to wrest control of the server and install the Explosive malware. The Trojan dates back to November 2012, with its newest variant released in June of last year and still in use.

The Explosive malware isn't exactly NSA-quality, Tal says, but it has been effective in staying mostly under the radar for three years. "They're not replacing hard drive firmware, but they're definitely not script-kiddie level. They have stealth and monitoring" capabilities, he says.

For instance, Volatile Cedar monitors whether its malware has been spotted by antivirus software, and if so, comes up with a new variant. The attackers also regularly check to see if the command and control infrastructure is under surveillance, and if so, goes temporarily silent.

"We're seeing persistence and a lot of discipline with them. They do proactive monitoring of their infrastructure," he says. Plus they have a "kill switch" option that they use when they detect that they've been detected, he says.

"We were very passive in trying not to alert them of our investigation. But we've seen them respond very quickly to our actions, turning on the kill switch on every piece of Explosive malware trying to talk home to the C&C--sending self-destruct commands," he says.

Tal notes that there may well be more to the attacks beyond what Check Point can watch via its sinkhole. "I wouldn't be surprised if there's something we haven't seen yet. We still have, for example, unexplained cases of how they got into a server."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2015 | 4:57:10 PM
Re: Build to just beyond the sophistication of your target
Given what's going on in the Middle East , I suspect we will be seeing a lot more of this going forward...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2015 | 4:56:58 PM
Re: Build to just beyond the sophistication of your target
Given what's going on in the Middle East , I suspect we will be seeing a lot more of this going forward...
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
3/31/2015 | 2:14:41 PM
Re: Build to just beyond the sophistication of your target
Thanks for sharing your thoughts, Christopher. I am sure this only scratches the surface of all of the other as-yet unpublicized or undiscovered nation-state activity out there. It's always interesting to see a new attack group emerge, and to learn about their techniques and approach. 
BurgessCT
50%
50%
BurgessCT,
User Rank: Apprentice
3/31/2015 | 2:07:40 PM
Build to just beyond the sophistication of your target
Great piece Kelly.  Reading the analysis and target selection provided by Checkpoint it harkened back to an observation seen in the past which is the enttity doing the "attacking" only needs to be better than their target, not necessarily better than the best. It appears that the creators are continuing to evolve in step with their targets.

All the best,

Christopher
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/31/2015 | 12:47:32 PM
Re: Polymorphic?
@Kelly Jackson Higgins. Ah ok, thank you for clearing that up...I feel that their time would be better spent trying to code variants into the malware. Otherwise, malware from the same source location may raise a red flag and the organization may be more vigilant in restrictions for those attack specifics.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
3/31/2015 | 12:00:37 PM
Re: Polymorphic?
Good question, @Ryan. It's not self-modifying: The attackers customize Explosive as needed to avoid detection, and for specific targets. 
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/31/2015 | 10:43:27 AM
Polymorphic?
Does that make Volatile Cedar polymorphic? By this I mean will it change to a different variant based on previous coding or does the team invoking the malware need to make changes on the back-end?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7753
PUBLISHED: 2020-10-27
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) [DNP] via trim().
CVE-2020-27182
PUBLISHED: 2020-10-27
Multiple cross-site scripting (XSS) vulnerabilities in konzept-ix publiXone before 2020.015 allow remote attackers to inject arbitrary JavaScript or HTML via appletError.jsp, job_jacket_detail.jsp, ixedit/editor_component.jsp, or the login form.
CVE-2020-27183
PUBLISHED: 2020-10-27
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact.
CVE-2020-8956
PUBLISHED: 2020-10-27
Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.
CVE-2020-15352
PUBLISHED: 2020-10-27
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.