fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hezbollah Hackers Attack Unpatched Atlassian Servers At Telcos, ISPs

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj

Hezbollah Hackers Attack Unpatched Atlassian Servers At Telcos, ISPs

Volatile Cedar, an advanced hacker group believed to be connected to the Lebanese Hezbollah Cyber Unit, has been silently attacking companies around the world in espionage operations.

The threat actor likely accessed more than 250 Oracle and Atlassian servers belonging mainly to organizations providing mobile communications and internet-based services.

Also known as Lebanese Cedar, the actor has been active since at least 2012 but fell of the researchers’ radar in 2015. Their operations resurfaced in early 2020 with what security researchers call the BeardStache global campaign, which may have compromised hundreds of companies.

Recon and exploitation

In a report today, cybersecurity company ClearSky says that Lebanese Cedar seems to focus on collecting intelligence and stealing company databases with sensitive information – such as client call records and private data in the case of telecommunications companies.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

According to the researchers, the threat actor makes reconnaissance efforts to select their victims and relies on public tools to find them. They use URI Brute Force tools (GoBuster and DirBuster) to look for open directories that could allow a web shell injection.

Lebanese Cedar looks for unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion Middleware servers. The vulnerabilities exploited are CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152.

The geography of the latest batch of victims varies from the Middle East to America and Europe, comprising the United States, the United Kingdom, Egypt, Saudi Arabia, Jordan, United Arab Emirates, and the Palestinian National Authority.

Keeping a low profile

ClearSky says that the group may have been active over the past five years but its operations remained unnoticed due to adopting new tactics, techniques, and procedures.

According to the security firm, Lebanese Cedar was able to keep a low profile by:

  • using common web shell utilities as the main hacking tool and rarely relying on other tools, which hindered attribution
  • shifting the initial point of access from computers to a victim’s network, and later to vulnerable servers exposed to the public internet
  • keeping operations so far apart that researchers monitoring them switched their focus to other, more recent threats

The researchers started to investigate after finding suspicious network activities and hacking tools on the systems of multiple companies. A closer look revealed a new version of the Explosive RAT – a remote access tool linked to Volatile Cedar – and the the “Caterpillar” web shell.

Also Read: Letter of Consent MOM: Getting the Details Right

“’Caterpillar WebShell’ was found in most of the victims we investigated, in many of the systems we also found traces of “Explosive” RAT. We identified the specific open-source JSP file browser that was modified for the hackers’ purposes. We found that Lebanese Cedar deployed the payload of Explosive RAT into the victims’ network. Lebanese Cedar is the only known threat actor that uses this code” – ClearSky

During incident response engagements, the company found two JSP files on victims’ servers, added on various dates between January 2019 and August 2020. The files had been installed at the same time on multiple ports that redirect to an Oracle server.

ClearSky warns that the Oracle servers accessed by Lebanese Cedar are still open and are easy targets for other hackers looking to attack the networks of multiple telecom providers or gain access to the files available.

The researchers say that Lebanese Cedar combines open-source tools with custom ones, their current toolset including a full blown web shell, a custom RAT, and “carefully selected complementary tools, including URI brute force tools.”

ClearSky describes Lebanese Cedar as an actor that has the capability to develop their tools and orchestrate “sophisticated, well-designed attacks” without drawing attention to their operations. The clever selection of tools, tactics, and attack vectors allows them to pass unnoticed.

The company’s report provides complete technical details about the attacks investigated and indicators of compromise that include some of the original servers used by the hackers.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us