In mid-2021, Kaspersky researchers discovered a wave of new attacks by the Middle Eastern Advanced Persistent Threat (APT) group, DeftTorero, also popularly dubbed as the Volatile Cedar. First detected in 2012, the APT group has been actively targeting the Government, Military, Education, Corporate and Telecommunication industries particularly across the UAE, Saudi Arabia, Egypt, Kuwait, Lebanon, Jordan and Turkey.
In the past, Volatile Cedar heavily used a custom-made remote access Trojan named Explosive, implanted in its targets such as publicly accessible web servers or internal systems, to harvest sensitive information. The APT group selected only a handful of targets to avoid unnecessary exposure. Once in control of an internet-exposed server, it penetrated the internal network via various means, including password stuffing/reuse.
Suspected to have originated from Lebanon, Kaspersky researchers have been monitoring Volatile Cedar since 2015. Since the group went radio silent and no new intelligence or intrusions were reported until 2021, Kaspersky experts suspected a possible shift in the TTPs of the threat actor to camouflage their activity using fileless malware and remain undetected.
As the Kaspersky investigation showed, Volatile Cedar possibly exploited a file upload form and/or an web application command injection vulnerability in a functional or staging website hosted at the target web server to install a webshell. In other instances, plugins pre-installed by the server admins were likely exploited, and server credentials from systems in the same organization were used to log in via a Remote Desktop Protocol to deploy a malicious script/webshell. Once the APT group found a way to upload the malicious script, they attempted to drop additional tools to penetrate into internal systems. Kaspersky’s intrusion analysis highlighted that almost all the web shells deployed collectively originated from a GitHub account, and were either used as is or were slightly modified.
“APT groups are known to find creative ways to remain undetected for years. Although DeftTorero did not have a high level of technological prowess in the past, time proved that open-source tools, fileless attacks and tooling modification is still used to successfully compromise victims. Using backdoors, the APT group is able to not only find gateways to its target, but also use it to connect to other servers. Since such attacks develop rapidly and often go undetected, it is mandatory that they are mitigated at early stages. It is our advice that organizations constantly monitor the vulnerabilities rising from publicly accessible web applications as well as to monitor for web apps file integrity” said Ariel Jungheit, Senior Security Researcher at Kaspersky GReAT.
In order for organizations to avoid falling victim to this APT group, Kaspersky researchers recommend:
- Thoroughly assessing web vulnerabilities, which includes monitoring the file integrity on web servers.
- Scanning web server backups occasionally. We noticed that some of the threat actor tools were located in backups, hence if the backups were restored at a later stage, the threat actor could regain persistent access and continue where they left off.
- IT administrators should be aware of their own publicly exposed attack surface like web applications, FTP servers, etc.