It’s the season of ghosts, witches and goblins, but that’s not what's keeping cybersecurity professionals up at night…It’s the challenge of how to identify vulnerabilities, prioritize patches, and prevent cyberattacks targeting business-critical Enterprise Resource Planning (ERP) data and systems. This Halloween, don’t let unpatched ERP vulnerabilities be a problem for your organization. Read on for the spooky tale of how threat actor group Elephant Beetle discreetly stole millions of dollars from financial companies’ systems while hiding in plain sight and ways your organization can strengthen your ERP security.
Earlier this year, researchers from Sygnia’s Incident Response team released a report detailing the activities of a threat group Elephant Beetle. To carry out its Java-based attacks, Elephant Beetle uses a wide arsenal of more than 80 unique tools and scripts. The threat actor group meticulously planned financial theft operations in stages, spending several months preparing attacks that involve stealing small amounts stolen over long periods usually amounting to millions.
Two of the vulnerabilities exploited by Elephant Beetle — SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326) and SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963) — are quite old. Yet, they are still being targeted by attackers. CVE-2010-5326 was the very first US-CERT alert pertaining to SAP cybersecurity back in 2016. And that US-CERT alert, while initiated in 2016, was referring to a patched vulnerability from five years earlier. Both of these vulnerabilities also have existing patches. Onapsis Research Labs’ Threat Intelligence Cloud analyzed activity related to the two SAP NetWeaver Java vulnerabilities and found over 350 exploitation attempts since January 2020. Older, unpatched vulnerabilities continue to be exploited by threat actors and will continue to be a problem for organizations that don’t have the right tools to identify, prioritize, and remediate.
What differentiates Elephant Beetle from the countless other headlines in the news is the nature of their attacks — methodical, sophisticated, and patient. Their tactics, techniques, and procedures echo the trend that Onapsis Research Labs and SAP jointly reported on last year: Threat actors have deeper knowledge and skills permitting them to conduct more sophisticated attacks on more complex and unpatched business-critical applications. Onapsis Research Labs’ threat research found evidence of hundreds of hands-on-keyboard sessions targeting vulnerable ERP systems, including examples of threat actors living off the land, chaining multiple vulnerabilities together, and even applying patches, post-exploitation, to cover their tracks. This trend points to the need to close the entry points threat actors are using to get in in the first place — because once they’re in, they’re in it for the long haul and their efforts are proving successful.
These older, unpatched vulnerabilities have shown us that organizations need to strengthen their ERP application security processes with processes and tools to make it significantly harder for threat actors to perform an initial compromise. Patching applications and vulnerability management can be challenging and time-consuming (though it doesn’t have to be), but just because a vulnerability is old, doesn’t mean that it doesn’t still pose a risk to your organization and its financial well-being. You can bet more sophisticated, methodical threat actors are also keeping an eye on patch releases. Research from SAP, CISA, and Onapsis found critical SAP vulnerabilities being weaponized less than 72 hours after the patch was released. But, the patch gap from when a vulnerability is found to when a patch is deployed is a lot longer; the average time to apply, test, and fully deploy a patch is 97 days1.
Watch Now: Latest Attacks & Best Practices to Combat the Rapidly Evolving Threat Landscape for ERP Applications
Make ERP Security a Priority
Elephant Beetle has shown us that we need to take a long, hard look at the state of security for our ERP application landscape. It is of utmost importance for organizations to strengthen their ERP security processes to make it significantly harder for threat actors to perform that initial compromise. Only then will we have made some real progress in minimizing the risk of these critical vulnerabilities and protecting our most important business assets. Here are three steps organizations can take to make ERP security a priority:
- Implement a vulnerability management program that is dedicated to protecting ERP applications: Given the frequency of releases, complexity of patching processes, and size of application landscapes, enterprises can face a growing backlog of patches and lack prioritization tools. A vulnerability management program dedicated to these complex and critical systems can help provide visibility, dashboards, automated processes, and more.
- Build application security testing into ERP application development processes: Organizations need a way to validate ensure they are writing high quality and secure code. Many ERP applications contain millions of lines of code, exacerbating the ability to manually identify and fix even common errors during development. Fixing issues before they hit production is easier and less expensive, and helps avoid negative impacts to system security, compliance, performance, or availability.
- Continuously monitor for internal and external threats with threat detection and response: Business-critical ERP applications are an attractive target for threat actors. Keeping an eye out for unauthorized changes, misuse, or attack indicators is essential for identifying this type of malicious behavior early so actions can be taken to prevent serious consequences.
For a deep dive into a specific case study of an Elephant Beetle attack and incident response, watch this session with researchers from Sygnia and Onapsis.
More Threat Intelligence from Onapsis Research Labs
ICMAD Vulnerabilities in SAP Internet Communication Manager
Onapsis and SAP partnered on the discovery and mitigation of a set of three vulnerabilities affecting the SAP Internet Communication Manager (ICM) component. One of the vulnerabilities, CVE-2022-22536, received a CVSS 10 score. As a result, CISA has issued a Current Activity Alert. If exploited, these vulnerabilities enable remote attackers to execute serious malicious activities on SAP users, business information, and processes — and ultimately compromise unpatched SAP applications.
Active Cyberattacks on Business-Critical SAP Applications
In April 2021, Onapsis Research Labs released threat intelligence with SAP. Data shows that not only has the threat landscape grown in recent years, but threat actors have gotten more sophisticated, using well-known exploits, and are acting quickly.
Onapsis Research Labs regularly contributes to SAP Patch Day and releases our analysis every Patch Tuesday.