Full Report
Volatile Cedar, a cybercriminal group affiliated with the Hezbollah Cyber Unit, has resurfaced after disappearing for almost 6 years.
Analysis Summary
# Threat Actor: Volatile Cedar
## Attribution & Identity
* **Attribution:** Cybercriminal group affiliated with the Hezbollah Cyber Unit.
* **Known Aliases:** Volatile Cedar.
* **Associated Groups:** Hezbollah Cyber Unit.
* **Status:** Resurfaced after an absence of almost 6 years (as of Feb 2021).
## Activity Summary
The group was illuminated following the discovery of suspicious activity targeting Oracle and Atlassian servers. The recent attacks described are reconnaissance campaigns aimed at learning the strategies and behaviors of specific enemies. Targeting included actively exploited, currently unpatched vulnerabilities.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of public-facing server software vulnerabilities:
* CVE-2012-3152
* CVE-2019-11581
* CVE-2019-3396
* **Delivery:** Deployment of custom malware via a compromised open-source JSP file browser.
* **Defense Evasion:**
* Shifting the attack surface from computers to public servers.
* Using common web shell utilities instead of other detectable tools.
* Implementing custom evasion measures within their malware, such as memory usage monitoring to avoid suspicious processing allocations.
* **Execution/Persistence:** Use of their signature remote access tool.
## Targeting
* **Sectors:** Telecommunication companies.
* **Geography:** United States, Egypt, Jordan, the United Kingdom, Saudi Arabia, Europe, the UAE, and the Palestinian Authority.
* **Victims:** Organizations running Oracle and Atlassian servers. The intelligence gathered included client call records amongst other private data.
## Tools & Infrastructure
* **Malware Families Used:**
* **Explosive RAT:** An updated version of their trojan, specifically designed for sensitive data theft and corporate espionage.
* **Explosive (Trojan):** The predecessor to Explosive RAT.
* **Infrastructure (C2, domains, IPs):** Not explicitly mentioned or defanged in the provided text.
## Implications
Volatile Cedar's resurfacing and the capabilities demonstrated signal a concerning evolution in Hezbollah's hacking proficiency, marked by the development and utilization of proprietary, highly evasive tools (Explosive RAT). Their activities confirm a persistent focus on intelligence gathering against geopolitical adversaries.
## Mitigations
1. **Patch Management:** Immediately patch all systems against critical vulnerabilities, specifically focusing on Oracle and Atlassian products, including CVE-2012-3152, CVE-2019-11581, and CVE-2019-3396.
2. **Application Security:** Review and secure public-facing application servers, especially those utilizing or hosting JSP files (e.g., restricting access to management interfaces).
3. **Endpoint Detection & Response (EDR):** Enhance monitoring for anomalous memory usage patterns indicative of evasion techniques.
4. **Monitoring:** Increase network vigilance for the presence and execution of custom Remote Access Tools (RATs) and web shells.