The Incident Response team at Sygnia recently released a report detailing targeted attacks against legacy Java applications on Linux machines by a threat group known as Elephant Beetle. The group has been observed exploiting the following vulnerabilities:
- SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326) from 2010
- Config Servlet Remote Coed Execution (EDB-ID-24963)
- WebSphere Application Server SOAP Exploit (CVE-2015-7450)
- Primefaces Application Expression Language Injection (CVE-2017-1000486)
After obtaining an initial foothold, the actor is patient and studies the victim environment before moving to a more thorough phase of reconnaissance. In one engagement, the group waited thirty days before proceeding. Elephant Beetle has been seen using obfuscated WAR archives to distribute java applications to drop their various backdoors and payloads used for exfiltration. Another interesting tactic included syphoning activity using small transactions to avoid alerting.
Sygnia has prepared a detailed report that includes indicators of compromise (IOCs) that can be found here: https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation. It is advised that as organizations are working through the latest Log4J issues, to expand this level of scrutiny to all java applications. Survey systems for the legacy applications referenced above to ensure proper patching has been applied. Baseline WebSphere activity with special attention to temporary folders. WAR deployments need to be validated and monitored. Deliberate threat hunting in the environment is another safeguard for identifying malicious activity. While the actor is clever with their use of web application payloads and obfuscation, they do not avoid using general tactics, techniques, and procedures (TTP) caught in targeted hunts in Linux environments.