Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2015
08:59 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Lebanon Believed Behind Newly Uncovered Cyber Espionage Operation

Middle East, US, and other targets hit in nearly three-year-old 'Volatile Cedar' cyber attack campaign.

Add Lebanon to the list of nations seen actively conducting cyber espionage.

Researchers from Check Point Software Technologies today revealed a cyber spying attack campaign that's been underway since 2012, mainly against Israeli and other Middle Eastern targets in Lebanon and Turkey, but also in the US, Canada, Japan, Peru, and the UK and other countries. The attack campaign, which Check Point researchers believe is the handiwork of a nation-state group out of Lebanon, has infected hundreds of victims in the defense, telecommunications, media, and education sectors.  

Shahar Tal, head of malware & vulnerability research at Check Point, says several clues point to Lebanon's involvement, including trends in its targets as well as its command and control infrastructure with ties to Lebanon.  Check Point has dubbed the campaign "Volatile Cedar."

"We also saw an OPSEC fail: one of the registered domains for a brief time before it went operational, pointed at a real identity," Tal says. "That led us to a social media account ... and very clearly it was [associated with] Lebanese political activism."

Command and control servers used for its malware also were seen being hosted at a major hosting company in Lebanon, and several of the servers were registered with a Lebanese address, according to Check Point.

Like most cyber spying operations, Volatile Cedar is all about stealing sensitive information for political or intelligence gain. The attackers use custom-written malware code-named Explosive, a data-stealing Trojan that can steal files, log keystrokes and screenshots, as well as run commands.

This is not the first time Lebanon has been tied to cyber spying: FireEye early last month revealed that it had uncovered attacks by pro-Assad government hackers against Syrian government opposition plans and players that scored the attackers a treasure trove of sensitive information and details on opposition forces. The researchers cited a definite Lebanese connection in the attacks, and a user in Lebanon was spotted uploading test versions of the malware launcher used in the attacks. In addition, the catfishing technique used by the attackers on social media to lure their targets included references to Lebanon by the phony female avatars who duped the victims.

Tal says Volatile Cedar is unrelated to the operation exposed by FireEye, and is yet another example of how most major governments now employ cyber spying operations. "It's not surprising that most governments or political groups are working on developing their capabilities in the cyber realm," he says.

The Lebanese cyber espionage team does not, however, deploy the standard spearphish as its initial attack vector like many other nation-state attacks do. The attackers instead hack into the public websites of their victims--in many cases, manually--and then pivot from there. "Then they hack their way through the internal network," Tal says. "They also use an auto-USB mechanism, where a USB device is inserted and every executable on it is getting the Explosive attachment in hopes of moving laterally."

The attackers first scan for vulnerabilities in the target's Web server. Once they detect a flaw, they exploit it to inject web shell code to wrest control of the server and install the Explosive malware. The Trojan dates back to November 2012, with its newest variant released in June of last year and still in use.

The Explosive malware isn't exactly NSA-quality, Tal says, but it has been effective in staying mostly under the radar for three years. "They're not replacing hard drive firmware, but they're definitely not script-kiddie level. They have stealth and monitoring" capabilities, he says.

For instance, Volatile Cedar monitors whether its malware has been spotted by antivirus software, and if so, comes up with a new variant. The attackers also regularly check to see if the command and control infrastructure is under surveillance, and if so, goes temporarily silent.

"We're seeing persistence and a lot of discipline with them. They do proactive monitoring of their infrastructure," he says. Plus they have a "kill switch" option that they use when they detect that they've been detected, he says.

"We were very passive in trying not to alert them of our investigation. But we've seen them respond very quickly to our actions, turning on the kill switch on every piece of Explosive malware trying to talk home to the C&C--sending self-destruct commands," he says.

Tal notes that there may well be more to the attacks beyond what Check Point can watch via its sinkhole. "I wouldn't be surprised if there's something we haven't seen yet. We still have, for example, unexplained cases of how they got into a server."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2015 | 4:57:10 PM
Re: Build to just beyond the sophistication of your target
Given what's going on in the Middle East , I suspect we will be seeing a lot more of this going forward...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2015 | 4:56:58 PM
Re: Build to just beyond the sophistication of your target
Given what's going on in the Middle East , I suspect we will be seeing a lot more of this going forward...
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
3/31/2015 | 2:14:41 PM
Re: Build to just beyond the sophistication of your target
Thanks for sharing your thoughts, Christopher. I am sure this only scratches the surface of all of the other as-yet unpublicized or undiscovered nation-state activity out there. It's always interesting to see a new attack group emerge, and to learn about their techniques and approach. 
BurgessCT
50%
50%
BurgessCT,
User Rank: Apprentice
3/31/2015 | 2:07:40 PM
Build to just beyond the sophistication of your target
Great piece Kelly.  Reading the analysis and target selection provided by Checkpoint it harkened back to an observation seen in the past which is the enttity doing the "attacking" only needs to be better than their target, not necessarily better than the best. It appears that the creators are continuing to evolve in step with their targets.

All the best,

Christopher
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/31/2015 | 12:47:32 PM
Re: Polymorphic?
@Kelly Jackson Higgins. Ah ok, thank you for clearing that up...I feel that their time would be better spent trying to code variants into the malware. Otherwise, malware from the same source location may raise a red flag and the organization may be more vigilant in restrictions for those attack specifics.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
3/31/2015 | 12:00:37 PM
Re: Polymorphic?
Good question, @Ryan. It's not self-modifying: The attackers customize Explosive as needed to avoid detection, and for specific targets. 
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/31/2015 | 10:43:27 AM
Polymorphic?
Does that make Volatile Cedar polymorphic? By this I mean will it change to a different variant based on previous coding or does the team invoking the malware need to make changes on the back-end?
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13611
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.