Researchers warn of a sophisticated cybercriminal group that has been stealing millions of dollars from finance and commerce organizations over the past year by breaking into networks via legacy Java applications and then laying low to learn internal financial processes. The group, which researchers from incident response firm Sygnia have dubbed Elephant Beetle, uses a large collection of custom and open-source tools in its operations, including Java backdoors, and is good at blending in with the target’s environment and network traffic flows to remain undetected for months.
Its behavior is reminiscent of groups like Carbanak that have stolen hundreds of millions of dollars from financial institutions, including central banks. While Elephant Beetle’s target selection seems to favor Latin America, it has hit the local branches of international companies and its activities could easily expand to other regions in the future.
Initial infiltration and lateral movement
The group’s infiltration methods are not sophisticated, as they don’t use zero-day exploits. Instead, it targets legacy and unpatched Java applications and web servers, particularly, WebSphere and WebLogic, that are exposed to the internet.
According to Sygnia, the group has been using older remote code execution (RCE) exploits: Primefaces Application Expression Language Injection (CVE-2017-1000486), WebSphere Application Server SOAP Deserialization Exploit (CVE-2015-7450), SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326) and SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963).
In addition to exploits the group also tries to access web management interfaces such as myWebMethods (WMS) and QLogic by using default credentials. Once they gain access to the server via a web shell they will start searching inside scripts and configuration files for additional stored credentials. For example, WebSphere stores admin credentials in server.xml in encoded form with XOR which are easy to decode.
If they gain additional credentials to the server management tools, the attackers use them to deploy their own Java application in the form of a WAR archive or place it inside auto-deploy folders. This application is a collection of web shells and other tools such as Java-based network scanners.
Another technique observed was the injection of malicious backdoor code into default web pages such as iisstart.aspx or default.aspx on IIS web servers. Access to these pages is usually not blocked or restricted by web firewall rules and they can potentially be accessed from the internet.
The Elephant Beetle attackers also download the source code of the applications present on the server, possibly to find potential weaknesses.
“This act, combined with the threat group scans for specific proprietary web interfaces, indicates that they have extensive understanding and knowledge in the field of pen testing,” the Sygnia researchers said in their report.
The group has been using a variety of port scanning and other fingerprinting tools to find additional systems and assets they can attack after the initial intrusion. This includes a TLS scanner, a batch script for enumerating open shares on machines in a Windows domain environment, and a Microsoft-developed script for finding Service Principal Names within the domain.
“The threat group moves laterally within the network mainly through web application servers and SQL servers, leveraging known techniques such as Windows APIs (SMB/WMI) and ‘xp_cmdshell’, combined with custom remote execution volatile backdoors,” the researchers said. The group has been using backdoor and traffic tunneling tools written in Java, PowerShell and Perl. In total Elephant Beetle has been observed using over 80 different tools and scripts during its operations.
MS-SQL servers appear to be a favorite target after the initial compromise of web servers. The attackers will attempt to access the SQL database servers using credentials found in web applications and create administrative accounts.
RCE on Windows machines is done via Windows Management Instrumentation (WMI) and SMB using scripts such as Invoke-SMBExec.ps1 — part of the Empire exploitation framework — and WmiExec.vbs. Command outputs and files extracted from internal servers with these remote commands are relayed back to already compromised systems via proxy or tunneling tools and are then stored in internet accessible folders for exfiltration.
Attackers perform their operations on compromised machines from temporary system folders to avoid leaving traces in permanent locations. The malicious files are named after the victim company or applications that the company uses to make detection harder. When the tools are initially uploaded, they can be obfuscated in Base64 and are then decoded using system tools such as Certutil.exe.
To harvest credentials the group dumps the memory of the LSASS.exe process with tools such as PWdump7, Out-Minidump.ps1 or the ProcDump tool. They also extract the SAM and SYSTEM registry hives and harvest the NTDS.DIT file from domain controllers and decrypt it.
Privilege escalation is achieved with DLL side-loading, for example by side-loading httpodbc.dll on old IIS servers, or with tools such as incognito v2 for token manipulation and impersonation.
Months-long reconnaissance and money theft
Once Elephant Beetle breaks into a network it spend the first few weeks to a month to perform lateral movement and customize their backdoors to the target’s environment. This is followed by several months of attackers just blending in the background and patiently studying the victim’s financial operations: the software, infrastructure and processes they use to perform legitimate transactions.
Once all the workflows are understood and the required access is gained the group starts injecting fraudulent transactions for small amounts of money that are likely to go unnoticed. These mimic the behavior of legitimate transactions and the goal is to stack as many transactions as possible over time instead of stealing a lot of money in one go. By using this technique, the attackers can siphon off millions of dollars over time while remaining undetected.
This is a different behavior than that of groups like Carbanak, who similarly take a lot of time to prepare their ground inside a compromised network and study financial processes for months, but then perform a one-time well-prepared attack that results in the theft of tens of millions of dollars from the target. While groups like Carbanak know they will be discovered once they push the trigger on a big hit, the Elephant Beetle attackers hope they will remain undetected for extensive periods of time.
“If during its efforts any fraudulent activity is discovered and blocked, they then simply lay low for a few months only to return and target a different system,” the Sygnia researchers said.
It’s not clear where the Elephant Beetle attackers are from, but strings found in their tools suggest they are Spanish speakers, so Latin America is a strong possibility. This might also explain their current focus on targets in the region and several of their command-and-control servers are hosted in Mexico. There are also similarities to a group that Mandiant tracks as FIN13 which has been active since at least 2017 and has targeted organizations in Mexico.
“Elephant Beetle seems to primarily focus on Latin American targets, but that doesn’t mean that organizations not based there are safe,” the researchers said. “For example, our IR team discovered that the Latin American operations of a U.S. company had been breached. As such, both regional and global organizations should be on their guard.”
Detecting Elephant Beetle attacks
Detecting long-term and stealthy intrusions like those performed by Elephant Beetle often requires active internal threat hunting. The Sygnia report contains IOCs and TTPs based on the MITRE ATT&CK framework. The company’s recommendations include:
- Maintain applications and keep operating systems up-to-date, especially on internet-facing servers.
- Avoid using clear-text credentials in scripts.
- Avoid using the same password for different administrative interfaces on different servers.
- Avoid using the xp_cmdshell procedure and disable it on MS-SQL servers. Monitor for configuration changes and usage of xp_cmdshell.
- Monitor on WAR deployments and validate that the packages deployment functionality is included in the logging policy of the relevant applications.
- Hunt and monitor for presence and creation of suspicious .class file in the WebSphere applications temp folders
- Hunt and monitor for presence and creation of web pages in static resources folders of Web applications.
- Monitor for processes that were executed by either web server parent services processes (i.e., w3wp.exe, tomcat6.exe) or by database-related processes (i.e., sqlservr.exe). Processes like cmd.exe, powershell.exe, wmic.exe and other code execution-related executables are highly suspicious.
- Implement and verify segregation between DMZ and Internal server. Close monitoring and access control over these regions is important to delay/stop malicious actors from moving forward after compromising a web server.