Check Point has released a report detailing the discovery of a persistent cyber-espionage group, possibly originating in Lebanon and having political ties.
Researchers in Check Point’s Malware and Vulnerability Research Group uncovered an attack campaign called Volatile Cedar, which uses a custom-made malware implant codenamed Explosive.
Operating since early 2012, this campaign has successfully penetrated a large number of targets across the globe, during which time it has allowed the attackers to monitor victim’s actions and steal data.
To date, the attacked organisations we can confirm include defence contractors, telecommunications and media companies, as well as educational institutions. The nature of the attacks and associated repercussions suggest that the attacker’s motives are not financial but aim to extract sensitive information from the targets.
Key findings include:
* Volatile Cedar is a highly targeted and well-managed campaign: Its targets are carefully chosen, confining the infection spread to the bare minimum required to achieve the attacker’s goal while minimising the risk of exposure.
* The first evidence of any Explosive version was detected in November 2012. Over the course of the timeline, several versions have been detected.
* The modus operandi for this attacker group initially targets publicly facing web servers, with both automatic and manual vulnerability discovery.
* Once the attacker gains control over a server, he/she can use them as a pivot point to explore, identify, and attack additional targets located deeper inside the internal network. We have seen evidence of online manual hacking as well as an automated USB infection mechanism.
“Volatile Cedar is a very interesting malware campaign. The campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents,” says Dan Wiley, head of Incident Response & Threat Intelligence at Check Point Software Technologies.
“This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by antivirus systems. It’s time for organisations to be more proactive about securing their networks.”
Check Point customers are protected from Volatile Cedar via various signatures on different security blades, and ThreatCloud-enabled blades have been made aware and identify every variant to date of the Explosive malware. Organisations can protect themselves against an attack like Volatile Cedar through a smart security infrastructure that includes proper firewall segmentation, IPS, anti-bot, patching, and application control configuration.