Some 250 servers were apparently breached by the Lebanese Cedar APT group, an organization with suspected links to the Hezbollah Cyber Unit in Lebanon.

The target victims include companies from many countries, including the United States, United Kingdom, Saudi Arabia, Egypt, Jordan, Lebanon, Israel and the Palestinian Authority. Valuable information was stolen over periods of months and years, ClearSky researchers wrote in a blog posted.

The security firm, which first detected suspicious activity in early 2020, said the attack was based on a modified JSP file browser with a unique string that the adversary used to deploy “Explosive” V4 Remote Access Tool (RAT) or “Caterpillar” V2 WebShell in the victims’ networks. The file was installed in vulnerable Atlassian Jira and Oracle 10g servers. Lebanese Cedar exploited 1-day publicly known vulnerabilities such as CVE-2012-3152 to install the JSP in vulnerable servers.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.