Check Point® Software Technologies Ltd. (NASDAQ: CHKP), the largest pure-play security vendor globally, today released a report detailing the discovery of a persistent attacker group originating possibly in Lebanon with political ties.
Researchers in Check Point’s Malware and Vulnerability Research Group uncovered an attack campaign called Volatile Cedar, which uses a custom-made malware implant codenamed Explosive. Operating since early 2012, this campaign has successfully penetrated a large number of targets across the globe, during which time it has allowed the attackers to monitor victim’s actions and steal data.
To date, the attacked organizations we can confirm include defense contractors, telecommunications and media companies, as well as educational institutions. The nature of the attacks and associated repercussions suggest that the attacker’s motives are not financial but aim to extract sensitive information from the targets.
- Volatile Cedar is a highly targeted and well-managed campaign: Its targets are carefully chosen, confining the infection spread to the bare minimum required to achieve the attacker’s goal while minimizing the risk of exposure.
- The first evidence of any Explosive version was detected in November 2012. Over the course of the timeline, several versions have been detected.
- The modus operandi for this attacker group initially targets publicly facing web servers, with both automatic and manual vulnerability discovery.
- Once the attacker gains control over a server, he/she can use them as a pivot point to explore, identify, and attack additional targets located deeper inside the internal network. We have seen evidence of online manual hacking as well as an automated USB infection mechanism.
“Volatile Cedar is a very interesting malware campaign. The campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents,” said Dan Wiley, Head of Incident Response & Threat Intelligence at Check Point Software Technologies. “This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by antivirus systems. It’s time for organizations to be more proactive about securing their networks.”
Check Point customers are protected from Volatile Cedar via various signatures on different security blades. Organizations can protect themselves against an attack like Volatile Cedar through a smart security infrastructure that includes proper firewall segmentation, IPS, anti-bot, patching, and application control configuration.
For more information, the full report on Volatile Cedar can be found here: /downloads/volatile-cedar-technical-report.pdf
Check Point’s Threat Intelligence & Research divisions regularly investigate attacks, vulnerabilities and breaches, and develop protections to secure Check Point’s customers. For more information on other research findings from Check Point, visit: /threatcloud-central/.