According to The Hacker News website, cybersecurity researchers revealed an organized financial theft group that targeted transaction processing systems and stole funds from financial entities in Latin America for at least 4 years.
The Israeli incident response company Sygnia named the malicious group Elephant Beetle. They are good at operating without being detected for a long time, integrating into the target environment, studying the target financial system patiently, and conducting covert fraud in routine activities. During the transaction, no less than 80 unique tools or scripts are used to execute the attack.
Ali Zibostein, vice president of the Sygnia incident, said that the unique modus operandi of the elephant beetle is that they have in-depth research on the target financial system and operations, and they are constantly looking for vulnerabilities that are technically injected into financial transactions, and ultimately achieve major financial theft. Because of the long-term existence of this group in the victim’s network, they often change and adjust their techniques and tools to maintain the effectiveness of their attacks.
Ali Ziebstein also believes that the success of the attack also lies in the huge attack surface provided by the legacy systems that exist in the financial institution network. These systems can be used as entry points so that the attacker can gain a long-term foothold in the target network.
In the process of executing the attack, if they are accidentally discovered, they will suspend their operations, but they will return quietly in a few months. The initial access is through the use of external-facing Java-based Web servers (such as WebSphere and WebLogic). The unpatched vulnerabilities are mediated, and the web shell is finally deployed to achieve remote code execution and lateral movement:
CVE-2017-1000486 (CVSS score: 9.8)-Primefaces application expression language injection
CVE-2015-7450 (CVSS score: 9.8)-WebSphere Application Server SOAP deserialization utilization
CVE-2010-5326 (CVSS score: 10.0)-SAP NetWeaver Invoker Servlet exploit
EDB-ID-24963-SAP NetWeaver ConfigServlet remote code execution
“This attack on Latin American financial entities once again emphasizes that some attackers who do their homework can sometimes be latent for a long time. Ali Ziberstein said. “Although today a lot of focus is on avoiding and preventing imminent ransomware. , But there are still some other attackers quietly spreading in the network to obtain long-term stable economic benefits. “