The Elephant Beetle threat group has been exploiting old Systems Applications and Products (SAP) vulnerabilities, enabling them to siphon off millions of dollars from Latin American financial sector organizations. This presents a concern given how widespread the use of SAP is; SAP is an enterprise resource planning system software and currently the world’s leading provider of business software solutions.
The entry point of the attacks is a focus on legacy Java applications running on Linux-based machines and web servers. Two of the vulnerabilities leveraged by Elephant Beetle affect SAP Netweaver Java systems are:
- SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326).
- SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963).
The very first US-CERT alert pertaining to cybersecurity with SAP applications was CVE-2010-5326, way back in 2016. The US-CERT alert, while initiated in 2016, was referring to a patched vulnerability from five years earlier. In other words, the exploited vulnerabilities were considerably old.
In relation to this latest cybersecurity fracas, additional investigations conducted by Onapsis Research Labs shows that Elephant Beetle is not the first threat group to exploit these vulnerabilities. There are also fears that other malicious groups will follow.
It is galling for users of SAP that the vulnerabilities were discovered years ago, and patches do exist for them. However, too many companies have failed to upkeep their patch management.
To give an idea of the scale of the issue, Onapsis Research Labs has observed in its own Threat Intelligence Cloud that there have been over 350 exploitation attempts of the same SAP vulnerabilities since January 2020.
The report finds that the key factor which differentiates Elephant Beetle from the countless other headlines recently in the news (such as ransomware) is the nature of their attacks, described as “methodical, sophisticated, and patient.”
In terms of the geographical origins, it is apparent that the vast majority of these attempts come from the U.S. and Asia. This means that it’s highly likely companies in the U.S., Asia and other regions are slowly leaking money to threat actors playing this long game, but just are not aware of it yet.
