As per their report, the Elephant Beetle exploits known and unpatched vulnerabilities and remains in the host network for a long time observing it. After studying enough, the threat actor then injects fake transactions to divert funds from the victim.
Modus Operandi of Elephant Beetle
A relatively new threat actor was discovered by the researchers at Sygnia Incident Response, who named it as Elephant Beetle and tracked it for nearly two years before exposing it today. As per their report, the new threat actor is financially motivated and uses over 80 unique tools and scripts for stealing money. More in detail, the Elephant Beetle is said to target the legacy Java applications in Linux systems, and exploit the following flaws in target’s systems;
Primefaces Application Expression Language Injection (CVE-2017-1000486) WebSphere Application Server SOAP Deserialization Exploit (CVE-2015-7450) SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326) SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963)
All the above exploits will let the Elephant Beetle execute malicious code remotely through a specially crafted and obfuscated web shell. Once in, they try to mix up their actions with the regular traffic, so as to remain undetected. And this is by mimicking legitimate packages, disguising web shells as font, image, or CSS and JS resources, and using WAR archives to pack payloads. Also, replacing or modifying the default web page files like iisstart.aspx or default.aspx on IIS web servers too is a way for getting in. This method gives the threat actor assured access to their web shell via the internet or other connected servers since the routes to this are always opened by default. Further, they use a custom Java scanner to draw out all the IP addresses for a specific port or HTTP interface and use compromised credentials or RCE bugs to move laterally within the network. Once settled within, the Elephant Beetle gang watches the transactions and communications silently in the host’s network. Once they gather enough data, they inject fraudulent transactions into regular bills and steal money through unsuspecting payments. Though they start with small payments of such, they remain consistent and lead to stealing millions of dollars of such transactions. Thus, researchers warned users to remain vigilant, by advising as below;
Avoid using the ‘xp_cmdshell’ procedure and disable it on MS-SQL servers. Monitor for configuration changes and the use of ‘xp_cmdshell’. Monitor WAR deployments and validate that the packages deployment functionality is included in the logging policy of the relevant applications. Hunt and monitor for the presence and creation of suspicious .class files in the WebSphere applications temp folders. Monitor for processes that were executed by either web server parent services processes (i.e., ‘w3wp.exe’, ‘tomcat6.exe’) or by database-related processes (i.e., ‘sqlservr.exe’). Implement and verify segregation between DMZ and internal servers.
Finally, researchers said the threat actor may belong to Latin America, as their code has variables and file names in Spanish, most C2 IP addresses based in Mexico, and the uploading of their custom Java-written network scanner to Virus Total from Argentina! This group is also linked to Mandiant’s FIN13, tracked for years for similar intentions.