Volatile Cedar is an APT group identified as far back as 2012, falling silent around 2015. A new report by ClearSky (referring to the group as Lebanese Cedar) details activities by the group beginning again in early 2020 which compromised upwards of 250 or more telecom and ISP companies.
According to the full report, the group used brute-force tools such as DirBuster and GoBuster to find open directories on web servers which could be during the exploitation stage of the attack to inject a web shell. Three vulnerabilities were identified by ClearSky as being used for this campaign:
- Atlassian Confluence Server (CVE-2019-3396)
- Atlassian Jira Server or Data Center (CVE-2019-11581)
- Oracle 10g 126.96.36.199 (CVE-2012-3152)
After successful exploitation, Volatile Cedar deployed multiple possible web shells. Two were used during the “injection stage.” The first, known as Caterpillar 2, is a variant of the open-source ASPXspy web shell. The second is known as JSP File Browser. On infected machines with the JSP File Browser installed, the group was also able to deploy Explosive RAT, a remote access tool (RAT) for features like keylogging, screen captures, or running commands remotely.
ClearSky’s partial list of identified victims includes companies from the United States, the United Kingdom, Egypt, Jordan, Lebanon, Israel, and the Palestinian Authority. While most of the shortened victim list in the report details telcos and ISPs, other victims included government agencies and private organizations.
The campaign by Volatile Cedar relied on older exploits to Atlassian and Oracle Products that have had updates available for some time. Binary Defense highly recommends organizations create follow a regular patch schedule. Atlassian provided a helpful table for affected versions of its Confluence and Jira products (CVE-2019-3396 and CVE-2019-11581, respectively). Oracle also provided a security advisory page (though it includes several other emergency patches) for Oracle Fusion Middleware. ClearSky lists Oracle 10g 188.8.131.52 as being affected by CVE-2012-3152. More specifically, it is the Oracle Reports Developer component and affects versions 184.108.40.206, 220.127.116.11, and 18.104.22.168.