Older, Unpatched ERP Vulnerabilities Continue to Haunt Organizations
Older, Unpatched ERP Vulnerabilities Continue to Haunt Organizations
Fri, 10/14/2022 – 15:58
It’s the season of ghosts, witches and goblins, but that’s not what’s keeping cybersecurity professionals up at night…It’s the challenge of how to identify vulnerabilities, prioritize patches, and prevent cyberattacks targeting business-critical Enterprise Resource Planning (ERP) data and systems. This Halloween, don’t let unpatched vulnerabilities be a problem for your organization. Read on for the spooky tale of how threat actor group Elephant Beetle discreetly stole millions of dollars from financial companies’ systems while hiding in plain sight and ways your organization can strengthen your ERP security.
Earlier this year, researchers from Sygnia’s Incident Response team released a report detailing the activities of a threat group Elephant Beetle. To carry out its Java-based attacks, Elephant Beetle uses a wide arsenal of more than 80 unique tools and scripts. The threat actor group meticulously planned financial theft operations in stages, spending several months preparing attacks that involve stealing small amounts stolen over long periods usually amounting to millions.
Two of the vulnerabilities exploited by Elephant Beetle — SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326) and SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963) — are quite old. Yet, they are still being targeted by attackers. CVE-2010-5326 was the very first US-CERT alert pertaining to SAP cybersecurity back in 2016. And that US-CERT alert, while initiated in 2016, was referring to a patched vulnerability from five years earlier. Both of these vulnerabilities also have existing patches. Onapsis Research Labs’ Threat Intelligence Cloud analyzed activity related to the two SAP NetWeaver Java vulnerabilities and found over 350 exploitation attempts since January 2020. Older, unpatched vulnerabilities continue to be exploited by threat actors and will continue to be a problem for organizations that don’t have the right tools to identify, prioritize, and remediate.
What differentiates Elephant Beetle from the countless other headlines in the news is the nature of their attacks — methodical, sophisticated, and patient. Their tactics, techniques, and procedures echo the trend that Onapsis Research Labs and SAP jointly reported on last year: Threat actors have deeper knowledge and skills permitting them to conduct more sophisticated attacks on more complex and unpatched business-critical applications. Onapsis Research Labs’ threat research found evidence of hundreds of hands-on-keyboard sessions targeting vulnerable ERP systems, including examples of threat actors living off the land, chaining multiple vulnerabilities together, and even applying patches, post-exploitation, to cover their tracks. This trend points to the need to close the entry points threat actors are using to get in in the first place — because once they’re in, they’re in it for the long haul and their efforts are proving successful.
These older, unpatched vulnerabilities have shown us that organizations need to strengthen their ERP application security processes with processes and tools to make it significantly harder for threat actors to perform an initial compromise. Patching applications and vulnerability management can be challenging and time-consuming (though it doesn’t have to be), but just because a vulnerability is old, doesn’t mean that it doesn’t still pose a risk to your organization and its financial well-being. You can bet more sophisticated, methodical threat actors are also keeping an eye on patch releases. Research from SAP, CISA, and Onapsis found critical SAP vulnerabilities being weaponized less than 72 hours after the patch was released. But, the patch gap from when a vulnerability is found to when a patch is deployed is a lot longer; the average time to apply, test, and fully deploy a patch is 97 days1.
Register Now: Latest Attacks & Best Practices to Combat the Rapidly Evolving Threat Landscape for ERP Applications
Make ERP Security a Priority
Elephant Beetle has shown us that we need to take a long, hard look at the state of security for our ERP application landscape. It is of utmost importance for organizations to strengthen their ERP security processes to make it significantly harder for threat actors to perform that initial compromise. Only then will we have made some real progress in minimizing the risk of these critical vulnerabilities and protecting our most important business assets. Here are three steps organizations can take to make ERP security a priority:
- Implement a vulnerability management program that specifically protects ERP applications: Threat actors can exploit vulnerabilities from system configurations, user settings, custom code, and missing patches to gain access to your critical ERP systems. Finding and remediating these vulnerabilities before they can be exploited is essential to protecting your ERP environment.
- Build application security testing into development processes: Incorporating security checks into your application development and change management processes allows you to find issues in the shortest possible time. Fixing issues before they hit production is typically easier and less expensive, and helps avoid negative impacts to system security, compliance, performance, or availability.
- Continuously monitor for internal and external threats: Business-critical ERP applications are an attractive target for bad actors, both inside and outside the organization. Keeping an eye out for unauthorized changes, misuse, or attack indicators is crucial for identifying this type of malicious behavior early so actions can be taken to prevent serious consequences.
For a deep dive into a specific case study of an Elephant Beetle attack and incident response, watch this session with researchers from Sygnia and Onapsis.
More Threat Intelligence from Onapsis Research Labs
ICMAD Vulnerabilities in SAP Internet Communication Manager
Onapsis and SAP partnered on the discovery and mitigation of a set of three vulnerabilities affecting the SAP Internet Communication Manager (ICM) component in SAP business-critical applications. The ICMAD vulnerabilities require immediate attention by most SAP customers. One of the vulnerabilities, CVE-2022-22536, received the highest possible risk score, a 10 out of 10. As a result, CISA has issued a Current Activity Alert. If exploited, these vulnerabilities enable attackers to execute serious malicious activities on SAP users, business information, and processes — and ultimately compromise unpatched SAP applications.
Active Cyberattacks on Business-Critical SAP Applications
In April 2021, we released joint threat intelligence with SAP and the first public report from Onapsis Threat Intelligence Cloud. Not only has the threat landscape grown in recent years, but threat actors have gotten more sophisticated, using well-known exploits, and are acting quickly. The window for defenders has gotten increasingly smaller.
Onapsis Research Labs regularly contributes to SAP Security Notes and releases our analysis every Patch Tuesday.
1 The Third Annual Study on the State of Endpoint Security Risk Ponemon Institute LLC Publication Date: January 2020
*** This is a Security Bloggers Network syndicated blog from onapsis.com/ authored by maaya.alagappan. Read the original post at: https://onapsis.com/blog/older-unpatched-erp-vulnerabilities-continue-haunt-organizations