Threat Actors Break Into Networks To Quietly Steal Cash

Bleeping Computer is reporting that a group of threat actors known as Elephant Beetle are spending months inside to divert transactions in order to make a few bucks:

The group is very sophisticated and patient, spending months studying the victim’s environment and financial transaction processes, and only then moves to exploit flaws in the operation.

The actors inject fraudulent transactions into the network and steal small amounts over long periods, leading to an overall theft of millions of dollars. If they are spotted, they lay low for a while and return through a different system.

The expertise of ‘Elephant Beetle’ appears to be in targeting legacy Java applications on Linux systems, which is typically their entry point to corporate networks.

Clearly these aren’t your typical cybercriminals. Which makes them even more dangerous than your typical cybercriminals who are already pretty dangerous. Elizabeth Wharton who is the VP Operations for SCYTHE had this to say:

Cybercriminals are doing the same thing that we’ve seen in traditional fraud. This is the same kind of small-dollar value theft that we see when people try to embezzle money from a company. The difference here is that companies lack the tools to detect it. They can’t use their fraud detection tools because it’s not an internal person exploiting their systems. This is why they need new tools that give them a way to continuously validate their security processes and technologies, so that they know their people can detect these new exploits quickly.  

And Chris Olson, CEO of The Media Trust had this to say:

Elephant Beetle is another example of the ever-evolving sophistication of criminal activity leveraging the complexity of digital environments. While this group is creating fraudulent transactions in enterprise environments, it’s safe to assume they can also hijack and steal consumer data like banking details, credit card numbers, etc. The risk of weaponizing enterprise websites/mobile apps to harm consumers is too great to ignore. In 2022, we’ll start to see more discussion about the need for digital trust and safety across industry and regulatory forums.  

So the take home message is that companies need to up their game to ensure that they don’t fall victim to something like this.

Welcome to 2022.

UPDATE: I have added commentary from Saryu Nayyar, CEO and Founder, Gurucul:

“The adaptability of the Elephant Beetle threat actor and subsequent exploits developed to evade detection or modifications to continue once detected, shows a level of sophistication that is out of scope for traditional XDR or SIEM. In addition to leveraging dwell time to evade detection, the documented exploits are clearly meant to increase the level of noise created by most XDR/SIEMs leaving security analysts unable to correlate what is a real attack versus chasing false positives. The ability to baseline user access to applications and understand deviations in acceptable asset and network usage and behaviors with customizable machine learning models can drastically reduce the noise and discover attacks much more quickly despite the extensive use of dwell time.”

Additionally, The New York Office of the Attorney General has notified 17 companies of security breaches after it spent months monitoring hacking forums dedicated to credential stuffing attacks and found that more than 1.1 million user accounts had been hacked and sold online. Saryu Nayyar of Gurucul goes on to say this:

“The fact that the NY OAG was able to find this information shows that threat intelligence, dark web scanning and attack surface management have a long way to go in terms of credibility and usability by security teams. While these are all critical as part of the overall security process and are useful to augment existing security tools like Next Generation SIEM, such tools are not a silver bullet to protect an organization or significantly lower risk given. Security operations must rely on advanced machine learning and analytics that are increasingly sophisticated to pre-emptively identify breaches and prevent credential theft. In addition, once this data is made available to threat actors, identity profiling and behavioral analytics are the best approach when combined with traditional XDR capabilities to determine if stolen credentials are being misused within an organization”.

And Sam Jones, VP of Product Management, Stellar Cyber had this to say:

“Exposed credentials are unfortunately the norm, and likely will be until the username and password paradigm is eliminated. The best practice for enterprises to prevent credential stuffing is to stick to the basics – enforce strong MFA and go passwordless if possible. For end users, given we still live in a password world, the best thing you can do is ensure you don’t reuse passwords across services.”

And Chris Olson, CEO of The Media Trust had this to say:

Credential stuffing attacks are old hat, and remain effective. While consumers are responsible for their data, enterprises have a responsibility to safeguard it when input or surreptitiously collected via their websites/mobile apps. Taking ownership of how digital assets can harm consumers is critical to safeguarding consumer expectations of privacy and security. Those that have adopted digital trust and safety strategies are starting to see tangible results in their bottom line.

Finally Dave Pasirstein, Chief Product Officer and Head of Engineering at TruU had this to say:

“The primary countermeasure to credential stuffing is multifactor authentication (MFA), and one of the best multifactor approaches to eliminate the credential stuffing attack vector is passwordless MFA.”


Leave a Reply

%d bloggers like this: