Sygnia’s Incident Response team discovered a threat group conducting financial theft by discreetly stealing millions of dollars from financial and commerce companies’ systems while hiding in plain sight.
The group operates inside the victims’ networks for months while studying their financial systems and injecting fraudulent transactions into regular activity.
Dubbed Elephant Beetle or TG2003, the threat group does not develop new zero-day exploits to commit financial theft. Instead, it relies on about 80 unique tools and scripts to blend in the target’s environment, remains undetected, and liberates “exorbitant amounts of money.”
The Israeli-based researchers have been tracking the group for two years to learn of its various tools, techniques, and procedures (TTPs).
Elephant Beetle leverages Java applications to commit financial theft
According to the researchers, Elephant Beetle is adept at exploiting Java applications. The group targets “legacy Java applications running on Linux-based machines as the means for initial entry,” they wrote.
After gaining access, the gang drops a complete Java Web application to commit financial theft while running alongside the targeted legitimate app.
Sygnia IR team researchers compared Elephant Beetle to the FIN13 threat group that attacked Mandiant.
To avoid detection, the hacking group drops web shells in the resources directory of the target application, disguising the files as images, fonts, js, and CSS files with similar names to the legitimate app but with the ‘.JSP’ extension.
When ready to commit financial theft, they pack the payloads into WAR archives, a method considered “super-persistent” in some environments like WebSphere and WebMethods.
The researchers noted that removing the web shell files on these environments is insufficient because “the web pages are being loaded and held in the server’s process memory.”
The attackers also modify or replace the default web pages like default.aspx or iisstart.aspx to ensure that they can access their web shells from the Internet.
Additionally, they use a custom Java scanner to scan specific IP lists or specific ports or HTTP interfaces to identify proximity or installed applications that could be targeted.
The attackers move laterally across the network by leveraging web application and SQL servers via techniques such as Windows APIs (SMB/WMI), ‘xp_cmdshell’, and remote code execution.
According to the researchers, the attacks exploit the following known vulnerabilities discovered as early as 2010.
The group also uses Spanish variables and file names, and most of its servers are based in Mexico.
Meanwhile, independent research by the Onapsis threat intelligence team found that the vulnerabilities exploited by Elephant Beetle could be used to execute other sophisticated attacks beyond financial theft. “Threat actors have deeper knowledge and skills permitting them to conduct more sophisticated attacks on more complex and unpatched business-critical applications,” they noted.
Chris Olson, CEO of The Media Trust, noted that Elephant Beetle was an example of evolving threats.”Elephant Beetle is another example of the ever-evolving sophistication of criminal activity leveraging the complexity of digital environments,” Olson said.
“While this group is creating fraudulent transactions in enterprise environments, it’s safe to assume they can also hijack and steal consumer data like banking details, credit card numbers, etc. The risk of weaponizing enterprise websites/mobile apps to harm consumers is too great to ignore.”
Elephant Beetle is patient, organized, and meticulous in planning financial theft
According to the researchers, the group meticulously plans financial theft operations in stages. It spends several months preparing attacks that involve stealing small amounts stolen over long periods usually amounting to millions. However, they halt financial theft operations once detected and resume on a different system.
Arie Zilberstein, VP of Incident Response at Sygnia, described the group as “stealthy” and “highly organized.”
“Even after initial detection, our experts have found that ‘Elephant Beetle’ is able to lay low, but remain deeply embedded in a compromised organization’s infrastructures, enabling it to reactivate and continue stealing funds at any moment.”
“Cybercriminals are doing the same thing that we’ve seen in traditional fraud,” said Elizabeth Wharton, VP Operations, SCYTHE. “This is the same kind of small-dollar value theft that we see when people try to embezzle money from a company.
“The difference here is that companies lack the tools to detect it. They can’t use their fraud detection tools because it’s not an internal person exploiting their systems.”
While elephant beetle targets organizations in the Latin American region, it also targets multinationals operating in the region.
Recently, Sygnia researchers responded to a compromised American company with branches in the affected region. Consequently, they warned all organizations to remain vigilant for potential Elephant Beetle’s financial theft activity.
Protecting an organization against Elephant Beetle threat actors
Sygnia researchers advised system administrators to avoid using the ‘xp_cmdshell’ procedure and disabling it on their MS-SQL servers. They should also monitor WAR deployments and log package deployment for various applications. Additionally, they should search for suspicious ‘.class’ files in the temp folders of WebSphere applications.
Similarly, security teams should monitor processes executed by web servers and database applications such as ‘w3wp.exe’, ‘tomcat6.exe’, and ‘sqlservr.exe’. They should also patch the listed vulnerabilities and segregate networks between DMZ and internal servers.
Onapsis also advised organizations to include SAP applications in their vulnerability management routine, given the high volume of vulnerability patches.
“This research further confirms that threat actors understand SAP applications and that they are leveraging SAP-specific exploits and techniques to compromise companies with the ultimate goal of exfiltrating data and performing financial fraud,” said Juan Pablo Perez-Etchegoyen, CTO at Onapsis.
“Some of the vulnerabilities identified by the Sygnia research team were highlighted by CISA in 2016, through the technical alert TA16-132A, due to the vast exploitation and compromise of internet-facing SAP applications performed by diverse threat actors. This was followed by four other CISA technical and current activity alerts in the successive years.”