Security News > 2021 > January > Hezbollah Hacker Group Targeted Telecoms, Hosting, ISPs Worldwide

A "Persistent attacker group" with alleged ties to Hezbollah has retooled its malware arsenal with a new version of a remote access Trojan to break into companies worldwide and extract valuable information.

In a new report published by the ClearSky research team on Thursday, the Israeli cybersecurity firm said it identified at least 250 public-facing web servers since early 2020 that have been hacked by the threat actor to gather intelligence and steal the company's databases.

The hacking activity uncovered by ClearSky matched operations attributed to Hezbollah based on code overlaps between the 2015 and 2020 variants of the Explosive RAT, which is deployed onto victims' networks by exploiting known 1-day vulnerabilities in unpatched Oracle and Atlassian web servers.

Using the three flaws in the servers as an attack vector to gain an initial foothold, the attackers then injected a web shell and a JSP file browser, both of which were used to move laterally across the network, fetch additional malware, and download the Explosive RAT, which comes with capabilities to record keystrokes, capture screenshots, and execute arbitrary commands.

"The web shell is used to carry out various espionage operations over the attacked web server, including potential asset location for further attacks, file installation server configuration and more," the researchers noted, but not before obtaining escalated privileges to carry out the tasks and transmit the results to a command-and-control server.

"Lebanese Cedar has shifted its focus significantly. Initially they attacked computers as an initial point of access, then progressed to the victim's network then further progressing to targeting vulnerable, public facing web servers," the researchers added.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/QN-avU6vY4g/hezbollah-hacker-group-targeted.html