Threat actors exploit ERP vulnerabilities for financial gain

ERP systems, such as SAP and Oracle E-Business Suite (EBS), are the operational engine of an organization, running the critical applications and containing the data needed to run businesses. These systems are critical to the organization, but almost always fall into a cybersecurity blind spot, left unprotected from internal abuse and external attacks.

Onapsis Research Labs finds evidence of ERP exploitation

The need to secure ERP applications has never been more urgent. Hackers have the expertise to identify and exploit unprotected critical ERP applications.

More than 400,000 organizations rely on SAP software. At the heart of every SAP deployment is SAP Internet Communication Manager (ICM), the software responsible for managing all HTTP requests and responses. Earlier this year, Onapsis Research Labs and the SAP Product Security Response Team (PSRT) collaborated to discover and fix three critical security vulnerabilities that affected SAP Internet Communication Manager (ICM), a core component of SAP business applications.

The ICMAD vulnerabilities are identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 – the first of which received the highest possible risk score, a 10 out of 10, while the other two received scores of 8.1 and 7.5, respectively. CVE-2022-22536 can be abused to compromise any Java or ABAP application based on SAP NetWeaver with default configurations. This can be achieved with a single request via the commonly exposed HTTP(S) service, and no authentication is required.

The potential impact on the business can be huge. Successful exploitation of the vulnerabilities could allow an attacker to perform several malicious actions affecting the business, including:

  • Steal critical customer and employee data
  • Misappropriation of user identities, theft of all user credentials and personal information
  • Exfiltration of sensitive or confidential company information
  • Fraudulent transactions and financial harm
  • Changing bank details in a financial recording system
  • Internal denial of service attack that disrupts critical business systems

Onapsis and SAP have worked closely with customers, providing a free vulnerability scanning tool that will allow any SAP customer to scan applications in their SAP landscape that are affected by these vulnerabilities. Due to the potential business impact, the US Cybersecurity and Infrastructure Security Agency (CISA) has added one of these critical SAP vulnerabilities – CVE-2022-22536 – to its catalog of known exploited vulnerabilities ( KEV).

In the case of Elephant Beetle, the threat actor group targeted unpatched ERP applications and web servers and meticulously planned staged financial theft operations, spending several months planning attacks that involved stealing small amounts of money. stolen over long periods usually amounting to millions. Two of the security vulnerabilities exploited by Elephant Beetle affect SAP Netweaver Java systems: CVE-2010-5326 and EDB-ID-24963 are quite old, dating back to 2016 when CISA released its first-ever US-CERT on ERP security.

Onapsis Research Labs’ Threat Intelligence Cloud analyzed activity related to the two SAP NetWeaver Java vulnerabilities mentioned in the Sygnia report. They discovered that there have been more than 350 exploit attempts since January 2020. Additionally, the vast majority of exploit attempts observed by Onapsis originated from Asia and the United States, indicating that this n is not isolated regionally but rather globally. Why is it? It’s easier than ever for motivated cyberattackers to acquire deeper knowledge and skills that allow them to carry out these more sophisticated attacks on more complex, unpatched ERP applications.

Onapsis Research Labs research also found evidence of hundreds of hands-on keyboard sessions targeting vulnerable ERP systems, including examples of threat actors living off the land, chaining multiple vulnerabilities together and even applying patches, after exploitation. , to cover their tracks. . This trend demonstrates the need to shut down the entry points that threat actors use to get in in the first place, because once they’re in, they’re there for the long haul and their efforts pay off.

A better way to think about ERP security

ERP systems are complex, but ERP security doesn’t have to be complicated. It is of the utmost importance for organizations to strengthen their ERP security processes so that it is much more difficult for threat actors to make this initial compromise. Only then will there have been real progress in reducing the risk of these critical vulnerabilities and protecting our most important business assets.

One of the ways organizations can stay ahead of threats is by seeking and using targeted threat intelligence, which can provide insight into the tactics, techniques, and procedures (TTPs) used by actors. protection threat before patching. Threat intelligence programs can provide alerts on ransomware campaigns and actionable intelligence for security teams.

Onapsis Research Labs is the world’s premier team of security experts who combine their deep knowledge of critical ERP applications and decades of experience in threat research to deliver impactful security intelligence and threat intelligence focused on ERP systems. Onapsis automatically updates its products with the latest threat intelligence and security advice from Onapsis research labs. This provides customers with advanced notification on critical issues, comprehensive coverage, enhanced configurations, and pre-patch protection ahead of scheduled vendor updates. Ongoing discoveries from the Onapsis research labs keep the Onapsis platform ahead of ever-evolving cybersecurity threats. Learn more about our solutions below:

Onapsis Assess for vulnerability management:

  • Understand your ERP environment. Get a graphical view of the systems and their interconnectivity provides insight into the applications, their usage and their main processes, as well as the main information assets they manage.
  • Identify and understand the risk. Automated assessments identify application-layer vulnerabilities, system-level misconfigurations, custom code issues, permission issues, and missing patches.
  • Reduce the attack surface. Continuous system health monitoring provides direct visibility into misconfigurations or unauthorized changes that could lead to security, compliance, or availability issues.

Onapsis Defend for threat detection and response:

  • Accelerate risk mitigation and resolution. Continuous monitoring detects internal and external threats as well as changes, transactions, and user activity that introduce risk or impact compliance.
  • Respond immediately to new threats. Integration with SIEM tools provides real-time alerts on potential new risks or evidence of exploits.
  • Prioritize corrective actions based on business risk. Detailed alarm notifications include detailed threat information, an explanation of business risks, and attack success probabilities.

Onapsis Control for application security testing:

  • Integrate security into your development processes. Automated analysis, enforced approval workflows, and integrations with development environments enable a left-shift approach to DevSecOps.
  • Reduce manual effort in change management processes. Automated code analysis quickly identifies security, compliance, and quality issues before they cause problems.
  • Ensure the stability, availability and performance of the ERP system. Custom code analysis and review captures issues that could put your organization at risk of attack, non-compliance, or application downtime. Understand business impact and prioritize risks. Identified issues are labeled according to their severity, impact on the business, and steps to be taken to address them.