The Incident Response team at Sygnia recently released a report detailing targeted attacks against legacy Java applications on Linux machines by a threat group known as Elephant Beetle. The group has been observed exploiting the following vulnerabilities:
- SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326) from 2010
- Config Servlet Remote Coed Execution (EDB-ID-24963)
- WebSphere Application Server SOAP Exploit (CVE-2015-7450)
- Primefaces Application Expression Language Injection (CVE-2017-1000486)
After obtaining an initial foothold, the actor is patient and studies the victim environment before moving to a more thorough phase of reconnaissance. In one engagement, the group waited thirty days before proceeding. Elephant Beetle has been seen using obfuscated WAR archives to distribute java applications to drop their various backdoors and payloads used for exfiltration. Another interesting tactic included syphoning activity using small transactions to avoid alerting.