A financially-motivated actor dubbed 'Elephant Beetle' is stealing millions of dollars from organizations worldwide using an arsenal of over 80 unique tools and scripts.
The group is very sophisticated and patient, spending months studying the victim's environment and financial transaction processes, and only then moves to exploit flaws in the operation.
The actors inject fraudulent transactions into the network and steal small amounts over long periods, leading to an overall theft of millions of dollars. If they are spotted, they lay low for a while and return through a different system.
The expertise of 'Elephant Beetle' appears to be in targeting legacy Java applications on Linux systems, which is typically their entry point to corporate networks.
The actor's TTPs are exposed in a detailed technical report which the Sygnia Incident Response team shared with Bleeping Computer before publication.
Exploiting flaws and blending with normal traffic
'Elephant Beetle' prefers to target known and likely unpatched vulnerabilities instead of buying or developing zero-day exploits.
Sygnia researchers have observed the group for two years and can confirm the the threat actors exploiting the following flaws:
All four of the above flaws enable the actors to execute arbitrary code remotely via a specially crafted and obfuscated web shell.
An example of SAP exploitationSource: Sygnia
The actors need to conduct long-term surveillance and research, so the next primary goal is to remain undetected for several months.
To achieve this, they try to blend with regular traffic ..
Support the originator by clicking the read the rest link below.
