A threat actor that goes by the name ‘Elephant Beetle’ is using a combination of around 80 tools to steal millions of dollars from enterprises across the world. It studies the victim’s network and environment patiently including the financial transactions, and then starts to exploiting the network with the flaws and loopholes identified.
The criminals introduce fake transactions into the environment and then steal small amounts over a long period, thus hiding the actual theft and keeping it calm. If in case these actions are spotted they continue to stay in the network but do not perform any further activities but later repeat the same with different method.
Elephant Beetle Mode of Operation
Elephant Beetle targets legacy Java applications on Linux devices, and focuses on known vulnerabilities that are left unpatched. It leverages the following four vulnerabilities to execute arbitrary code remotely via a specially designed web shell. Once they breach the network, their next checkpoint is to stay invisible and study the environment, this will be done over a period of months.
- SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326)
- Config Servlet Remote Coed Execution (EDB-ID-24963)
- WebSphere Application Server SOAP Exploit (CVE-2015-7450)
- Primefaces Application Expression Language Injection (CVE-2017-1000486).
They stay undetected by behaving in a normal way and sync with the normal traffic to be legitimate source and use WAR archives to prepare the payloads. These actors will then slowly start becoming more of a parasite by manipulating the files, and prepare for their attack.
Spreads Wings Within Network Latrelly
The actors use a custom-made Java scanner that gets IP addresses for a HTTP or Specific Port. This custom-made scanner is versatile and can be personalized as per the actors mission, later, they figure out the best internal server points and compromise it using stolen credentials or using RCE vulnerability and spread further laterally within the network.
The lateral movement is achieved using the SQL and Web Application Servers using Windows APIs and xp_cmdshell with remote execution backdoors. Also, it is reported that the actors use multiple backdoors to achieve their goal.
Putting a Hurdle to Elephant Beetle
The C2 of Elephant Beetle operation is based out of Mexico and the actors use multiple Spanish Code Variables and References which emphasizes the same. And the custom-made scanner was uploaded from Argentina which confirms the groups origin should be from the LATAM.
Here’s what you should do to avoid Elephant Beetle threat,
- Do not use xp_cmdshell and shutdown the MS-SQL servers. Monitor the changes in the use of xp_cmdshell and the configurations.
- Check WAR activities and validate the deployment of packages and their functionality is associated with logging.
- Verify the isolation between your internal servers and the DMZ.
- Verify your WebSphere apps’s temp folders for malicious .class file.
- Patch those unpatched applications immediatley as its targeting old unpatched vulnerabilities.