Hezbollah Cyber Group Attacks Global Telecoms, Hosting Services, and ISPs

A persistent cyber threat actor, linked to Hezbollah, has updated its toolkit with a new version of a remote access Trojan (RAT) aimed at infiltrating organizations worldwide to exfiltrate sensitive information. This finding comes from a recent report by the ClearSky research team, published on Thursday, which outlines how the group has compromised at least 250 public-facing web servers since early 2020.

The compromised entities include businesses situated in the U.S., U.K., Egypt, Jordan, Lebanon, Saudi Arabia, Israel, and the Palestinian Authority. A significant number of these targets are telecom operators, internet service providers, and hosting companies, including well-known names like Etisalat, Mobily, and Vodafone Egypt, further emphasizing the group’s focus on high-value sectors.

First identified in 2015, the group known as Volatile Cedar (or Lebanese Cedar) has gained notoriety for its sophisticated attack methods, deploying various techniques to breach a wide array of targets. Their malware implant, dubbed “Explosive,” has been integral to these operations, utilizing a range of tactics that include cyber espionage against military suppliers, universities, and media outlets.

Recent attacks align with previous tactics attributed to Hezbollah, featuring notable code overlaps between the Explosive RAT versions from 2015 and 2020. ClearSky researchers highlight that the current operations leverage known vulnerabilities targeting unpatched Oracle and Atlassian web servers, specifically exploiting three flaws (CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152) to obtain initial access.

Once inside the network, attackers deployed a web shell and JSP file browser to facilitate lateral movement within the system, allowing them to fetch additional malware and install the Explosive RAT. This malware not only captures keystrokes and screenshots but also executes arbitrary commands, presenting severe risks to affected organizations.

The evolution of the Explosive RAT, particularly its latest iteration (V4), demonstrates an upgrade in sophistication, incorporating new anti-debugging measures and ensuring encrypted communication with its command-and-control (C2) server. This ongoing enhancement reflects a strategic approach that enables the group to maintain a low profile while conducting extended operations without drawing attention.

The consistent use of web shells highlights a method that could make attribution challenging for security researchers, as the primary hacking tool obscures the group’s activities. According to ClearSky, the Lebanese Cedar group has evolved its approach over the years, transitioning from attacking individual computers to targeting vulnerable public-facing web servers directly.

In summary, this case study underscores the importance for business owners to scrutinize their cybersecurity posture and consider the MITRE ATT&CK framework, which suggests that tactics like initial access, persistence, and privilege escalation could have been leveraged in these attacks. Organizations are called to review their defenses against such advanced persistent threats to mitigate potential risks in an increasingly complex cyber landscape.