Last week, researchers from Sygnia’s Incident Response team released a report detailing the activities of a threat group they’ve named Elephant Beetle. Compiled from over two years of monitoring, the report describes the attack strategies used by the group that resulted in the theft of millions of dollars from Latin American financial sector organizations.
More Evidence That Threat Actors Are Initiating More Sophisticated Attacks
What differentiates Elephant Beetle from the countless other headlines recently in the news (e.g., ransomware) is the nature of their attacks — methodical, sophisticated, and patient. Their tactics, techniques, and procedures echo the trend that Onapsis Research Labs and SAP jointly reported on last year: Threat actors have deeper knowledge and skills permitting them to conduct more sophisticated attacks on more complex and unpatched business-critical applications. The Onapsis Research Labs’ very own threat research found evidence of hundreds of hands-on-keyboard sessions targeting vulnerable SAP systems, including examples of threat actors living off the land, chaining multiple vulnerabilities together, and even applying patches, post-exploitation, to cover their tracks. This trend points to the need to close the entry points threat actors are using to get in in the first place — because once they’re in, they’re in it for the long haul and their efforts are proving successful.
Old Vulnerabilities Continue to Plague Organizations
Two of the vulnerabilities leveraged by Elephant Beetle affect SAP Netweaver Java systems:
- SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326)
- SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963)
The first thing you should know about these two vulnerabilities is that they’re quite old. In fact, CVE-2010-5326 was the very first US-CERT alert pertaining to cybersecurity with SAP applications way back in 2016. (And that US-CERT alert, while initiated in 2016, was referring to a patched vulnerability from five years earlier!) The second thing you should know about these two vulnerabilities is that there exist patches for them.
So, yes, this is yet another example of old, unpatched vulnerabilities coming back to haunt you. We recently saw headlines about a ransomware attack at a utilities company related to the RECON vulnerability, first disclosed by Onapsis Research Labs in July 2020, and there is no shortage of other similar stories out there. Patching applications and vulnerability management can be challenging and time-consuming (though it doesn’t have to be), but just because a vulnerability is old, doesn’t mean that it doesn’t still pose a risk to your organization and its financial well-being. You can bet more sophisticated, methodical threat actors will find a way to exploit it, if given the opportunity.
As further evidence of this, Onapsis Research Labs took a look at its Threat Intelligence Cloud and analyzed activity related to the two SAP NetWeaver Java vulnerabilities mentioned in the Sygnia report. They found the following:
- Over 350 exploitation attempts since January 2020
- The vast majority of Onapsis-observed exploit attempts come from Asia and the US (in comparison to the Elephant Beetle activity, which was primarily focused in Latin America, indicating this isn’t isolated but rather global)
Too Many Vulnerabilities, Too Little Time
The Elephant Beetle story touches upon a much bigger issue regarding vulnerability management for business-critical applications. While this threat activity involved just two SAP-related vulnerabilities, remember — SAP releases new patches every month. When simply examining the most critical vulnerabilities patched from January 2020 to December 2021, they released:
- 80 patches for vulnerabilities with CVSSv3 ranging from 8.5 to 10 and
- 20 patches with CVSSv3 of 10.
That’s an average of around 3 critical vulnerabilities patched by SAP every 30 days over a two year period! Given this volume, it isn’t surprising that organizations potentially have older, unpatched critical vulnerabilities lurking in their SAP landscapes. And consider that this volume doesn’t include critical misconfiguration exploits, such as the 10KBLAZE exploits, first reported by the Onapsis Research Labs, that targeted misconfiguration of SAP NetWeaver installations.
Unfortunately, all of these critical vulnerabilities continue to be prime targets for threat actors eager to exploit them and use them as entry points to foundational business applications. (Some of these vulnerabilities are also highlighted by CISA in the catalog of currently exploited vulnerabilities such as CVE-2010-5326, CVE-2020-6287 or CVE-2020-6207.)
If Elephant Beetle has shown us nothing else, it’s that we need to take a long, hard look at the state of security for our business-critical application landscape. It is of utmost importance for organizations to strengthen their SAP security processes and better incorporate SAP within their vulnerability management and incident response processes to make it significantly harder for threat actors to perform that initial compromise. Only then will we have made some real progress in minimizing the risk of these critical vulnerabilities and protecting our most important business assets.
For more on vulnerability management and business-critical applications, read our related paper. To identify your organization’s current risk exposure, get in touch with an Onapsis security expert at www.onapsis.com/request-an-assessment/cyber-risk.