Cyber Security Researchers Identify Financial Theft Hackers
Table of Contents
- By David Lukic
- Published: Jan 06, 2022
- Last Updated: Mar 18, 2022
A group of cyber security specialists has figured out who is behind a sizable financial theft hacking operation. The hackers went to great lengths to conceal their identities. These cyber miscreants zeroed in on processing systems to pluck funds from financial institutions and other businesses across nearly half a decade. Those institutions were primarily located in Latin America.
Who is Behind the Hack?
The cyber security researchers at Sygnia, an Israeli incident response company, determined the hacking collective known as Elephant Beetle is responsible for the attacks described above.
Who Did the Attacks Target?
The financial theft hacks zeroed in on both banks and retail businesses. The attacks injected phony financial transactions amidst harmless activity. Those fraudulent transactions slipped through the cracks as the benign transactions masked them. This is a relatively simple approach to attacking financial-oriented targets as it hides the infiltration in plain sight. The hackers didn’t even go to the trouble of developing an exploit.
Is the Attack Analogous to Any Other?
The Elephant Beetle digital attack overlaps with another type of attack known as FIN13. Mandiant has been tracking FIN13. FIN13 is considered an industrious-oriented threat tied to ransomware attacks and other attacks to steal data throughout Mexico. FIN13 attacks have been levied dating back to the start of 2016.
What Else is Known About the Elephant Beetle Attack?
Elephant Beetle is known to leverage upwards of 80+ distinct tools and scripts. These tools are essential to carrying out the underlying attacks. Elephant Beetle also goes to great lengths to blend in the attacks with the targeted environment across lengthy periods of time. The group conducts extensive research to obtain knowledge of targeted financial operations and systems. The result is significant financial loss.
The Vice President of Sygnia’s incident response group, Arie Zilberstein, states Elephant Beetle’s lengthy period of persistence within target networks empowers them to alter techniques and tooling for continued relevancy. Zilberstein states the campaign’s success is primarily the result of the widespread attack surface available through legacy systems within banking networks. Elephant Beetle seizes the opportunity to establish footholds in these entry points, empowering attackers to obtain a listing foothold within target networks.
Why is the Attack Successful?
The attack goes to the extent of using backdoors within the target’s environment to attempt to understand the specific processes used to conduct financial transactions after implementing transactions within networks to gradually steal small amounts of cash. The small amounts removed from accounts go under the radar, ensuring Elephant Beetle’s activity is unknown. If the activity is identified, the hacking collective temporarily puts its theft on pause yet starts plucking small amounts of money out of the account a couple months later.
The initial access to the target system capitalizes on unpatched flaws within Java-based web servers that are publicly exposed. Those servers include WebLogic and WebSphere. Web shells are then deployed to trigger lateral movement and remote code execution. The web shells used are designed as JavaScript, CSS, image, and font resources with an extension that allows for lengthy surveillance. The hacking collective also uses techniques that overwrite files that are non-threatening to replace default web page files and advance additional attacks.