Security firm Check Point has uncovered what seems to be a successful, and long-running, cyber-surveillance campaign called "Volatile Cedar." Check Point found that targets of the attack included, but were not limited to, defense contractors, media companies, telecommunications, and educational institutions.
The attack is said to have originated in Lebanon and possibly has political ties in the region. According to an article in Techworld, previous cyber-campaigns originating from Lebanon have been either extremely unsophisticated or targeted at other countries in the region. However, Volatile Cedar is different.
According to the report, this campaign has been in operation since 2012 and has successfully penetrated a large number of targets across the globe. During this time it has allowed the attackers to steal data and monitor a large volume of victim's actions.
The actors involved in this campaign do not appear to be using flashy mechanisms like zero day attacks or complex malware but, instead, enter networks via vulnerable webservers. Once compromised, webservers are infected with a trojan called "Explosive" which allows them to carry out reconnaissance.
This custom-built piece of malware offers remote access, data exfiltration, key logging, as well as functionality to allow for lateral movements within the compromised network.
Another very interesting aspect of the Volatile Cedar campaign is how far the actors are willing to go to remain undetected, monitoring system resource consumption and antivirus detection results with the "Explosive" tool. It will even block external communications and obfuscate traffic to mask its activity.
How Volatile Cedar Impacts Your Organization
- Attackers can take control of infected systems to steal data, log keystrokes, and even begin to move around in your network
- The loss of data can lead to regulatory penalties, loss of business, litigation, etc.
- Hosting malicious content could inadvertently associate your organization with criminal activity
How AlienVault Unified Security Management (USM) Can Help
AlienVault USM provides asset discovery, vulnerability assessment, threat detection (IDS), behavioral monitoring, SIEM, and threat intelligence from AlienVault Labs—all in a single console.
The AlienVault Labs team has already added several IDS signatures and a correlation rule to detect the C&C protocol generated by all the malware families used by the attackers behind Volatile Cedar:
System Compromise, Targeted Malware, Volatile Cedar
With AlienVault USM, you can scan your network to identify assets with the Volatile Cedar vulnerability, making it easy for you to identify systems that need to be patched and prioritize remediation.
Not only can AlienVault USM identify vulnerable systems, it can also help you detect attempted exploits of the vulnerability.
AlienVault USM also checks the IP information against the Open Threat Exchange (OTX), the largest crowd-sourced threat intelligence exchange. In the example below, you can see details from OTX on the reputation of an IP, including any malicious activities associated with it.
Learn more about AlienVault USM: