Published: February 26, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
Hoping financial entities and the IT staffs who protect them don’t notice, threat group Elephant Beetle is stealing money from them in small increments adding up to big-time hauls. These hackers target institutions still running Linux-based, legacy Java applications. Once inside a target environment, this group waits patiently for months while their small, fraudulent, and under-the-radar withdrawals add up to millions of dollars.
Hiding in Plain Sight
Two years ago, Sygnia Incident Response team began following the group and its methods, also giving Elephant Beetle its name. Following their trail of success, Sygnia found Elephant Beetle’s actors are well-organized, thorough from start to finish, and extremely patient. Sygnia claims that the attacks rely on their simplicity, without any need for sophisticated tools or exploits. Elephant Beetle spends months studying a target and its financial systems before placing their small, fraudulent transactions among stacks of much larger and legitimate customer transactions.
Primarily targeting Linux machines running Java apps, the threat actors are particularly successful with those companies using WebSphere and WebLogic Java-based web servers. These servers allow Elephant Beetle to easily enter a target’s environment and begin their hacking plan. According to Sygnia, the group comes to the hacking party prepared. Sygnia finds the group arrives on site with over 80 “unique tools and scripts.” As a result, Elephant Beetle is “blending in with the target’s environment and going completely undetected while it quietly liberates organizations of exorbitant amounts of money.”
Finding and attacking vulnerable systems is something most hackers love to exploit, and Elephant Beetle group is no different. These vulnerabilities allow this gang of thieves to infiltrate and successfully achieve what they came to do – steal credentials to keep their thievery going. In particular, Elephant Beetle looks for four known vulnerabilities found in WebSphere and WebLogic servers. IT personnel should be aware of their CVE (Common Vulnerabilities and Exposures) numbers, especially if their company’s technology uses those particular web servers: CVE-2017-1000486, CVE-2015-7450, CVE-2010-5326 and EDB-ID-24963.
Among their suggestions to mitigate attacks, Sygnia offers the following recommendations to help IT pros “protect and hunt” against Elephant Beetle and those who may follow in their steps.
Maintain applications and keep operating systems up-to-date, especially on internet-facing servers.
Avoid using clear-text credentials in scripts.
Avoid using the same password for different administrative interfaces on different servers.
Hunt and monitor for presence and creation of suspicious .class file in the WebSphere applications temp folders.
Hunt and monitor for presence and creation of web pages in static resources folders of Web applications.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org