The Sygnia’s Incident Response team recently discovered a threat group conducting financial theft by subtly stealing millions of dollars from financial and commerce companies’ systems, all the while hiding in plain sight. The criminal group operates inside the victims’ networks for months while studying their financial systems and injecting fraudulent transactions into regular activity.
Titled Elephant Beetle or TG2003, the cyber threat group does not develop new zero-day exploits to commit financial theft. Instead, it relies on about 80 unique tools and scripts to blend in the target’s environment, remains undetected, and liberates “exorbitant amounts of money.” This indicates a sophisticated group that employs extreme patience in their criminal operation.
The Israeli cyber researchers have been tracking the group for two years to learn of its various tools, techniques, and procedures (TTPs). Researchers explain that Elephant Beetle is adept at exploiting Java applications. The group targets “legacy Java applications running on Linux-based machines as the means for initial entry,” they state. After gaining access, the gang drops a complete Java Web application to commit financial theft while running alongside the targeted legitimate app.
The Sygnia IR team compares Elephant Beetle to the FIN13 threat group that attacked Mandiant. To avoid detection, the hacking group drops web shells in the resources directory of the target application, disguising the files as images, fonts, js, and CSS files with similar names to the legitimate app but with the ‘.JSP’ extension.
When ready to commit financial theft, the criminals pack the payloads into WAR archives, a method considered “super-persistent” in some environments like WebSphere and WebMethods. Sygnia highlights that removing the web shell files on these environments is insufficient because “the web pages are being loaded and held in the server’s process memory.” The attackers also modify or replace the default web pages like default.aspx or iisstart.aspx to ensure that they can access their web shells from the Internet. In addition, Elephant Beetle utilizes a custom Java scanner to scan specific IP lists or specific ports or HTTP interfaces to identify proximity or installed applications that could be targeted. The attackers then move laterally across the network by leveraging web application and SQL servers via techniques such as Windows APIs (SMB/WMI), ‘xp_cmdshell’, and remote code execution. Sygnia says the cyber-attacks exploit these known vulnerabilities which were discovered as early as 2010. Of note is that Elephant Beetle also uses Spanish variables and file names, as most of its servers are based in Mexico.
The Onapsis threat intelligence team additionally found that the vulnerabilities exploited by Elephant Beetle could be used to execute other sophisticated attacks beyond financial theft. “Threat actors have deeper knowledge and skills permitting them to conduct more sophisticated attacks on more complex and unpatched business-critical applications,” they noted. The CEO of The Media Trust added that Elephant Beetle is an example of evolving threat tactics. ”Elephant Beetle is another example of the ever-evolving sophistication of criminal activity leveraging the complexity of digital environments,” he said. “While this group is creating fraudulent transactions in enterprise environments, it’s safe to assume they can also hijack and steal consumer data like banking details, credit card numbers, etc. The risk of weaponizing enterprise websites/mobile apps to harm consumers is too great to ignore.”
Again, Elephant Beetle shows a high level of sophistication as they are patient, organized, and very meticulous in planning financial theft. According to these researchers, the group methodically plans financial theft operations in stages. It spends several months preparing attacks that involve stealing small amounts stolen over long periods usually amounting to millions. However, they halt financial theft operations once detected and resume on a different system. Again, showing a refined degree of discipline.
Sygnia described the group as “stealthy” and “highly organized.” “Even after initial detection, our experts have found that ‘Elephant Beetle’ is able to lay low, but remain deeply embedded in a compromised organization’s infrastructures, enabling it to reactivate and continue stealing funds at any moment.”
“Cybercriminals are doing the same thing that we’ve seen in traditional fraud,” said Scythe cyber security. “This is the same kind of small-dollar value theft that we see when people try to embezzle money from a company. The difference here is that companies lack the tools to detect it. They can’t use their fraud detection tools because it’s not an internal person exploiting their systems.”
While this group has historically focus on organizations in the Latin American region, it also targets multinationals operating in the region. Recently, Sygnia responded to a compromised American company with branches in the affected region. Subsequently, they warned all organizations to remain vigilant for potential Elephant Beetle’s financial theft activity.[1]
Sygnia is warning system administrators to avoid using the ‘xp_cmdshell’ procedure and disabling it on their MS-SQL servers. They should also monitor WAR deployments and log package deployment for various applications. Additionally, IT professionas should search for suspicious ‘.class’ files in the temp folders of WebSphere applications. Likewise, security teams should monitor processes executed by web servers and database applications such as ‘w3wp.exe’, ‘tomcat6.exe’, and ‘sqlservr.exe’. They should also patch the listed vulnerabilities and segregate networks between DMZ and internal servers.
The Onapsis group also advises organizations to include SAP applications in their vulnerability management routine, given the high volume of vulnerability patches. Threat group hides inside the victims’ networks for months while studying their financial systems and injecting fraudulent transactions into regular activity. #cybersecurity #respectdataClick to Tweet. “This research further confirms that threat actors understand SAP applications and that they are leveraging SAP-specific exploits and techniques to compromise companies with the ultimate goal of exfiltrating data and performing financial fraud,” said Onapsis. “Some of the vulnerabilities identified by the Sygnia research team were highlighted by CISA in 2016, through the technical alert TA16-132A, due to the vast exploitation and compromise of internet-facing SAP applications performed by diverse threat actors. This was followed by four other CISA technical and current activity alerts in the successive years.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://www.cpomagazine.com/cyber-security/threat-group-elephant-beetle-involved-in-financial-theft-of-millions-through-small-amounts-over-long-periods/
Comments