A New Cedar Fever for Your Web Server

May 12, 2015 | Garrett Gross

Checkpoint recently published a report detailing a new attack campaign, dubbed ‘Volatile Cedar’, targeting environments across the globe. While some of the known targets have been larger environments (including defense contractors, telcos, and educational institutions), there is no evidence that would indicate that these attacks are aimed at any specific industry or company size.

The actors involved in this campaign do not appear to use any ‘traditional’ early stage techniques like phishing or drive-by-downloads, but, instead, seem to go straight for web servers. This is not the easiest entry point due to the complexity of the hack but, once an attacker is in, a web server can sometimes offer easy access to the internal network.

They infect the web server with a trojan called “Explosive”, a custom-built piece of malware that offers remote access, data exfiltration, key logging, as well as functionality to allow for lateral movements within the compromised network.

Another very interesting aspect of the Volatile Cedar campaign is how far they are willing to go to remain undetected, monitoring system resource consumption and antivirus detection results with the Explosive tool. It will even block external communications and obfuscate traffic to mask its activity.

The impact on you (other than sneezing and coughing):

  • Infected systems are under the control of the attacker and can be used to steal data, log keystrokes, even aid in moving around your network
  • Losing data can lead to loss of business, regulatory penalties, litigation, etc.
  • Hosting malicious content could inadvertently associate your business with criminal activity

Our AlienVault Labs team has already added several IDS signatures and a correlation rule to detect the C&C protocol generated by all the malware families used by this group. AlienVault Unified Security Management (USM) has the ability to continuously scan for vulnerabilities as well as changes to system files (which could be indicative of an attack). So when you are worried about those volatile allergy attackes, take a look at USM to relieve the systems.

Garrett Gross

About the Author: Garrett Gross

Garrett Gross has always had an insatiable appetite for technology and information security, as well as an underlying curiosity about how it all works. Garrett has over 15 years of professional experience in information technology, filling several roles: systems administration, network engineering, product marketing, technical support, and helpdesk. In his current role in field enablement, he uses his experience to help managed security service providers be successful in evangelizing and operationalizing AlienVault USM.

Read more posts from Garrett Gross ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial