A threat actor that goes by the name ‘Elephant Beetle’ is using a combination of around 80 tools to steal millions of dollars from enterprises across the world.
This is a blase act as the group studies the victim’s network and environment patiently including the financial transactions, and then starts to exploiting the network with the flaws and loopholes identified.
The criminals introduce fake transactions into the environment and then steal small amounts over a long period, thus hiding the actual theft and keeping it calm. If in case these actions are spotted they continue to stay in the network but do not perform any further activities but later repeat the same with different method.
Elephant Beetle targets legacy Java applications on Linux devices, and focuses on known vulnerabilities that are left unpatched. This was discovered by the Sygnia Incident Response team and has been published in detail in their report.
Elephant Beetle leverages the following four vulnerabilities to execute arbitrary code remotely via a specially designed web shell, SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326) and Config Servlet Remote Coed Execution (EDB-ID-24963), WebSphere Application Server SOAP Exploit (CVE-2015-7450) and Primefaces Application Expression Language Injection (CVE-2017-1000486). Once they breach the network, their next checkpoint is to stay invisible and study the environment, this will be done over a period of months.
They stay undetected by behaving in a normal way and sync with the normal traffic to be legitimate source and use WAR archives to prepare the payloads. These actors will then slowly start becoming more of a parasite by manipulating the files, and prepare for their attack.
The actors use a custom-made Java scanner that gets IP addresses for a HTTP or Specific Port. This custom-made scanner is versatile and can be personalized as per the actors mission, later, they figure out the best internal server points and compromise it using stolen credentials or using RCE vulnerability and spread further laterally within the network.
As per the Sygnia report, the lateral movement is achieved using the SQL and Web Application Servers using Windows APIs and xp_cmdshell with remote execution backdoors. Also, it is reported that the actors use multiple backdoors to achieve their goal.
The C2 of Elephant Beetle operation is based out of Mexico and the actors use multiple Spanish Code Variables and References which emphasizes the same. And the custom-made scanner was uploaded from Argentina which confirms the groups origin should be from the LATAM.
Here’s what you should do to avoid Elephant Beetle threat,
Read through the Sygnia report to understand the Indicator of Compromise which will assist in detecting Elephant Beetle’s presence proactively.
Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.
You can reach out to us via Twitter or Facebook, for any advertising requests.
Explore efficiency with the Top 5 Best Project Management Software – streamline tasks, boost collaboration,…
Explore the top 5 best free antivirus apps for Android smartphones – your essential defense…
Unlocking India's DPDP Act: Your Guide to Rights, Responsibilities, and Top 5 Tools for 2024.…
Uncover insights on advanced features, performance, and user experiences. Discover the top 5 best Data…
Unlock efficient Windows Server patching with insights on top tools and vendors. Streamline your cybersecurity…
Software deployment is the process of rolling out an application, which could occur manually or…