Researchers warn of sophisticated group of cybercriminals who stole millions of dollars from financial and business organizations over the past year by breaking into networks through legacy Java applications, then refraining to learn financial processes internal. The group, which researchers at incident response company Sygnia have dubbed the Elephant Beetle, uses a large collection of custom and open source tools in its operations, including Java backdoors, and integrates seamlessly into the environment. target and network traffic flow. remain undetectable for months.
Its behavior is reminiscent of groups like Carbanak who have stolen hundreds of millions of dollars from financial institutions, including central banks. While Elephant Beetle’s target selection appears to favor Latin America, it has hit local branches of international companies and its business could easily expand to other regions in the future.
Initial infiltration and lateral movement
The group’s infiltration methods are not sophisticated, as they do not use zero-day exploits. Instead, it targets legacy and unpatched Java applications and web servers, especially WebSphere and WebLogic, which are exposed to the Internet.
According to Sygnia, the group used old remote code execution (RCE) exploits: Primefaces Application Expression Language Injection (CVE-2017-1000486), WebSphere Application Server SOAP Deserialization Exploit (CVE-2015-7450), SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326) and SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963).
In addition to exploits, the group also tries to access web management interfaces such as myWebMethods (WMS) and QLogic using default credentials. Once they gain access to the server through a web shell, they will begin to search scripts and configuration files for additional stored credentials. For example, WebSphere stores administrator credentials in server.xml in XOR-encoded form that is easy to decode.
If they obtain additional credentials for the server management tools, attackers use them to deploy their own Java application as a WAR archive or place it in automatic deployment folders. This application is a collection of web shells and other tools such as Java based network scanners.
Another technique observed was the injection of malicious backdoor code into default web pages such as iisstart.aspx or default.aspx on IIS web servers. Access to these pages is generally not blocked or restricted by web firewall rules and can potentially be accessed from the Internet.
Elephant Beetle attackers also download the source code of applications present on the server, possibly to find potential weaknesses.
“This act, combined with analyzes of threat groups for specific proprietary web interfaces, indicates that they have a deep understanding and knowledge in the area of penetration testing,” Sygnia researchers said in his report.
The group used a variety of port scan tools and other fingerprint tools to find additional systems and assets they can attack after the initial intrusion. This includes a TLS scanner, a batch script to enumerate the shares open on machines in a Windows domain environment, and a script developed by Microsoft to find the names of service principals in the domain.
“The threat pool moves laterally through the network primarily through web application servers and SQL servers, exploiting known techniques such as Windows APIs (SMB / WMI) and” xp_cmdshell “, combined with backdoors custom remote execution volatiles, ”the researchers said. The group uses backdoor and traffic tunnel tools written in Java, PowerShell, and Perl. In total, Elephant Beetle has been observed using over 80 different tools and scripts during its operations.
MS-SQL servers appear to be a prime target after the initial compromise of web servers. Attackers will attempt to access SQL database servers using credentials found in web applications and create administrative accounts.
RCE on Windows machines is done through Windows Management Instrumentation (WMI) and SMB using scripts such as Invoke-SMBExec.ps1 – which is part of the Empire operating framework – and WmiExec.vbs. Command output and files pulled from internal servers with these remote commands are relayed to already compromised systems through proxy or tunneling tools and are then stored in internet accessible folders for exfiltration.
Attackers operate on compromised machines from temporary system folders to avoid leaving traces in permanent locations. The malicious files are named after the victim company or the applications the company is using to make detection more difficult. When tools are initially downloaded, they can be masked as Base64 and are then decoded using system tools such as Certutil.exe.
To harvest the credentials, the group dumps the memory of the LSASS.exe process with tools such as PWdump7, Out-Minidump.ps1, or the ProcDump tool. They also extract the SAM and SYSTEM registry hives, get the NTDS.DIT file from domain controllers, and decrypt it.
Elevation of privilege is achieved with sideloading DLLs, for example by sideloading httpodbc.dll on older IIS servers, or with tools such as incognito v2 for token manipulation and spoofing.
Recognition of several months and theft of money
Once the Elephant Beetle enters a network, it spends the first few weeks to a month performing lateral movements and customizing its backdoors to suit the target’s environment. This is followed by months of attackers mixing in the background and patiently studying the victim’s financial operations: the software, infrastructure, and processes they use to perform legitimate transactions.
Once all workflows are understood and the required access is obtained, the group begins to inject fraudulent transactions for small amounts of money that may go unnoticed. These mimic the behavior of legitimate transactions and the goal is to stack as many transactions as possible over time instead of stealing a lot of money all at once. Using this technique, attackers can siphon millions of dollars over time undetected.
This is different behavior than groups like Carbanak, who also take a long time to prepare their ground inside a compromised network and study financial processes for months, but then perform a one-off attack. well prepared that results in theft. tens of millions of dollars from the target. While groups like Carbanak know they will be discovered once they pull the trigger with a bang, attackers on Elephant Beetle are hoping they will go undetected for long periods of time.
“If during their efforts fraudulent activity is discovered and blocked, they just stay silent for a few months to come back and target a different system,” Sygnia researchers said.
It is not known where the elephant beetle attackers came from, but the strings found in their tools suggest they are Spanish speaking, so Latin America is a strong possibility. It could also explain their current focus on targets in the region and several of their command and control servers are hosted in Mexico. There are also similarities with a group that Mandiant tracks like FIN13 which has been active since at least 2017 and has targeted organizations in Mexico.
“Elephant Beetle seems to focus primarily on Latin American targets, but that doesn’t mean organizations that aren’t based there are safe,” the researchers said. “For example, our IR team discovered that the Latin American operations of an American company had been violated. As such, regional and global organizations need to be on their toes.”
Detect elephant beetle attacks
Detecting long-term, stealthy intrusions like those performed by the elephant beetle often requires an active hunt for insider threats. The Sygnia report contains IOCs and TTPs based on the MITER ATT & CK framework. The company’s recommendations include:
- Maintain applications and keep operating systems up to date, especially on servers connected to the Internet.
- Avoid using clear text credentials in scripts.
- Avoid using the same password for different administration interfaces on different servers.
- Avoid using the xp_cmdshell procedure and disable it on MS-SQL servers. Monitor configuration changes and the use of xp_cmdshell.
- Monitor WAR deployments and verify that the package deployment functionality is included in the affected application logging policy.
- Check for and monitor the presence and creation of suspicious .class files in the temporary folders of WebSphere applications
- Find and monitor the presence and creation of web pages in the static resource folders of web applications.
- Monitor the processes that were executed by the web server parent service processes (i.e. w3wp.exe, tomcat6.exe) or by database related processes (i.e. sqlservr.exe). Processes like cmd.exe, powershell.exe, wmic.exe and other executables related to code execution are very suspicious.
- Implement and verify segregation between the DMZ and the internal server. Close monitoring and access control over these regions is important to delay / prevent malicious actors from moving forward after compromising a web server.