Threat Actors Exploit ERP Vulnerabilities for Financial Gain

ERP systems, such as SAP and Oracle E-Business Suite (EBS), are the operational engine of an organization, running the business-critical applications and holding the data needed for businesses to function. These systems are essential to the organization, yet almost always fall in a cybersecurity blind spot, left unprotected against internal misuse and external attacks. 

Onapsis Research Labs Finds Evidence of ERP Exploitation

The need for securing ERP applications has never been more urgent. Threat actors have the expertise to identify and exploit unprotected business-critical ERP applications. 

More than 400,000 organizations rely on SAP’s software. At the core of every SAP deployment is the SAP Internet Communication Manager (ICM), the piece of software in charge of handling all HTTP requests and responses. Earlier this year, Onapsis Research Labs and the SAP Product Security Response Team (PSRT) collaborated to discover and patch three critical security vulnerabilities that affected SAP Internet Communication Manager (ICM)–a core component of SAP business applications. 

The ICMAD vulnerabilities are identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 — the first of which received the highest possible risk score, a 10 out of 10, while the other two received scores of 8.1 and 7.5, respectively. CVE-2022-22536 can be abused to compromise any SAP NetWeaver-based Java or ABAP application with default configurations. This can be achieved using a single request through the commonly exposed HTTP(S) service, and no authentication is required. 

The potential impact to the business can be huge. A successful exploitation of the vulnerabilities could allow an attacker to perform several malicious actions affecting the enterprise, including: 

  • Steal critical data from customers and employees
  • Hijack of user identities, theft of all user credentials and personal information
  • Exfiltration of sensitive or confidential corporate information
  • Fraudulent transactions and financial harm
  • Change of banking details in a financial system of record
  • Internal denial of service attack that disrupts critical systems for the business

Onapsis and SAP worked closely with customers, providing a free vulnerability scanning tool that will allow any SAP customer to scan for applications across their SAP landscape that are affected by these vulnerabilities. Due to the potential business impact, The US Cybersecurity and Infrastructure Security Agency (CISA) added one of these critical SAP vulnerabilities–CVE-2022-22536–to its Known Exploited Vulnerabilities Catalog (KEV). 

In the case of Elephant Beetle, the threat actor group targeted unpatched ERP applications and web servers and meticulously planned financial theft operations in stages, spending several months preparing attacks that involve stealing small amounts stolen over long periods usually amounting to millions. Two of the security vulnerabilities leveraged by Elephant Beetle affect SAP Netweaver Java systems: CVE-2010-5326 and EDB-ID-24963 are quite old, dating back to 2016 when CISA put out its very first US-CERT on ERP security. 

Onapsis Research Labs’ Threat Intelligence Cloud analyzed activity related to the two SAP NetWeaver Java vulnerabilities mentioned in the Sygnia report. They discovered that there were over 350 exploitation attempts since January 2020. Additionally, the vast majority of Onapsis-observed exploit attempts came from Asia and the US, indicating this isn’t regionally isolated but rather global. Why is this? It’s easier than ever for motivated cyberattackers to gain deeper knowledge and skills that allow them to conduct these more sophisticated attacks on more complex and unpatched ERP applications. 

Onapsis Research Labs’ research also found evidence of hundreds of hands-on-keyboard sessions targeting vulnerable ERP systems, including examples of threat actors living off the land, chaining multiple vulnerabilities together, and even applying patches, post-exploitation, to cover their tracks. This trend demonstrates the need to close the points of ingress that threat actors are using to get in in the first place — because once they’re in, they’re in it for the long haul,l and their efforts are proving successful. 

A Better Way to Think About ERP Security

ERP systems are complex, but ERP security doesn’t have to be complicated. It is of utmost importance for organizations to strengthen their ERP security processes to make it significantly harder for threat actors to perform that initial compromise. Only then will there have been some real progress in minimizing the risk of these critical vulnerabilities and protecting our most important business assets. 

One way organizations can stay ahead of threats is to seek and use targeted threat intelligence, which can provide insights on tactics, techniques, and procedures (TTPs) used by threat actors for pre-patch protection. Threat intelligence programs can provide alerts about ransomware campaigns and actionable intelligence for security teams.

Onapsis Research Labs is the world’s leading team of security experts who combine their deep knowledge of critical ERP applications and decades of threat research experience to deliver impactful security insights and threat intelligence focused on ERP systems. Onapsis automatically updates its products with the latest threat intelligence and security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates. The ongoing discoveries from the Onapsis Research Labs keeps the Onapsis Platform ahead of ever-evolving cybersecurity threats.

Learn more about our solutions below:

Vulnerability Management: Onapsis Assess gives you a graphical view of systems and their interconnectivity provides insight into applications—their primary usage and processes, and the key informational assets they manage. Users are able to identify and understand risk through automated assessments. Assess reduces the attack surface. Continuous monitoring of system health provides visibility into misconfigurations and unauthorized changes that can lead to security, compliance, or availability issues.

Threat Detection and Response: Onapsis Defend can accelerate risk mitigation and remediation. Continuous monitoring detects internal and external threats as well as changes, transactions, and user activity that introduce risk or impact compliance. Users can respond immediately to new threats and integration with SIEM tools delivers real-time alerts of potential new risks or evidence of exploits. With Defend, customers can prioritize remediation based on business risk. 

Application Security Testing: Onapsis Control integrates security into your development processes. Automated code analysis can quickly identifies security, compliance, and quality issues before they can cause problems. Control provides analysis and review of custom code captures issues that could put your organization at risk of attack, non-compliance, or application downtime.