00:00:00: the SAP zero day.
00:00:02: that changed everything.
00:00:04: My name is Cecilia Giloy and I will be managing today's session.
00:00:08: before we get started, I have some housekeeping notes.
00:00:11: first
00:00:11: i want to point out The questions module was in the on twenty four platform.
00:00:15: We welcome you To enter your question at any Point during the presentation And if time allows?
00:00:21: We Will answer whatever Questions we can At the end of this session.
00:00:24: also there Is option to request a meeting with our experts.
00:00:28: feel free to fill out the form on the left-hand side.
00:00:32: You can always adjust the size of the media player, make it bigger or smaller depending upon your preference.
00:00:37: and finally please note that this session is being recorded.
00:00:41: we will share a link after we wrap up today.
00:00:45: now I'm going over our presenters with us.
00:00:49: today we have Ignacio Favre senior offensive security researcher Adonapsis Fabian Huck Senior Offensive Security Researcher at ONAPSIS as well.
00:00:59: They will be taking us through a comprehensive analysis of the SAP Zero Day Vulnerability and with that, I'm handing it over to our speakers.
00:01:09: Hello everyone!
00:01:10: I am really glad to be here today presenting this interesting topic for you.
00:01:27: Yes, thank you.
00:01:28: Thank you Pato hello everyone.
00:01:30: my name is Fabian.
00:01:31: I'm also working as a security researcher here at Onapsis now for about two and half years almost.
00:01:38: And yeah Also happy to be here today To give you some insights into our one of our subjects we worked on over the last year And i think before we start We wanted to emphasize that The work we present here Today Is not only do result Of the effort spent by the two of us but it's basically something a lot of people worked on and cross-functional teams work together.
00:02:01: So what is the plan for today?
00:02:04: We quickly want to describe to you, what the Onapsis Research Labs are who we are and what they're doing.
00:02:12: We will then go into the subject which is SAP Zero Day after quick introduction.
00:02:21: timeline on the chronological order of events that happened last year.
00:02:25: We will then go more into the technical part of this session where we'll also show you how the vulnerability was exploited before.
00:02:34: at the very end, we look at a defense side and actually how can protect it?
00:02:38: At the very ends there would be chance for Q&A as well.
00:02:44: All right.
00:02:45: so let's start with Onapsis Research Lab.
00:02:51: Primarily working on two areas.
00:02:54: First of all, we're working on collecting global threat intelligence data which is based On a honeypot network that we employ in order to observe what attackers actually do out there when they try To attack and infiltrate SAP systems.
00:03:09: so basically We tried to capture Which techniques and procedures the threat actors makes use off?
00:03:16: And then on the other hand side we have the proactive vulnerability research where we're working closely together with SAP's product security response team in order to eliminate previously unknown vulnerabilities.
00:03:31: And then after all, the learnings and knowledge we gather throughout those main tasks that goes directly into our products which is the Onapsis platform.
00:03:41: The onapsis platforms are something clients can make use of their own network in order to protect their system, also against the most recent threats we observe in the UNAPS's research labs.
00:03:55: Great!
00:03:56: So what are going talk about today?
00:03:58: is SAP Zero Day wake-up call?
00:04:01: What happened last year and was actually something that we have not seen at least not on this scale in the SAP ecosystem before because we saw different kind of threat actors exploiting a previously unknown vulnerability.
00:04:18: So basically a security issue in specific SAP software component, no one was aware about at that time except for the threat actors themselves.
00:04:29: A really dangerous capability the attackers had here and they used this or utilized it in a massive scale.
00:04:38: so we have seen different kind of threat groups capitalizing on these issues And we've seen SAP releasing an emergency patch and follow up patches to protect the SAP customers.
00:04:51: But still, or still today were seeing threat actors continuously scanning for potentially vulnerable systems that do not have the patches applied.
00:05:01: All right.
00:05:03: so now let's look closer into what exactly yeah kind of events happened last year and Pato will give us Yeah, some insights into the timeline.
00:05:16: Correct well April twenty five hit a critical turning point for SAP landscape with public disclosure of this zero data as I was mentioning and SAP perform exceptionally well releasing an out-of-band patch.
00:05:41: we have public awareness of this one.
00:05:44: By the time, how it works.
00:05:54: So based on this research that we perform, uh...we were able to provide input to SAP in order to provide a full patch on May thirteenth.
00:06:04: but also in parallel our engineering teams are working around the clock to provide twenty-nine product updates between these weeks ...to protect all customers and SAP operators altogether.
00:06:19: so um also at the same time we started to see massive waves of attempts previously dropped web shells and on august shiny hunters threat group released also a public exploit the fully working public exploit of the final vulnerability.
00:07:06: from there well We started also capturing not only opportunistic attack or attempts to reproduce this attack, but also abusing this public exploit in order to gain access to SAP system through these now public vulnerability.
00:07:27: So JLR is also in September disclosed a cyber incident that put the factory downs for several weeks and a lot of profit losses.
00:07:41: And Cheney Hunters, the same thread group that released public exploit in August claim their responsibility and also saying or claiming they were able to compromise this company through NSEP network vulnerability.
00:08:01: so based on what was published the exploit and also they claim with some screenshot in internal channels that were able to compromise, we can potentially say maybe it was behind actually on this attack of using this vulnerability.
00:08:25: So now... We are going more deep into technical stuff regarding these specific CVEs.
00:08:36: DCV is affecting or based on desalination vulnerability that it's not something only related to SAP, or Java.
00:08:47: It could be in any kind of language.
00:08:50: In this case we are going explain about java specifically because its the technology behind this SAP component.
00:08:59: On left side We have an instance for a class which usually called an object which is a unit of data that's inside the running process.
00:09:11: In this case, we have John Doe with the CD and a role in the company.
00:09:19: to be able to store or transmit information through the network usually needs format.
00:09:29: So that is the serialization process, format data information.
00:09:33: In this case we put it with semicolon in the middle.
00:09:36: That afterwards can be reconstructed and recovered which is the other process The digitalization process.
00:09:46: Reconstruct these formatted data into an object again that Java can handle.
00:09:54: When this process of deserialization is executed or triggered, most the time it's the most typical one.
00:10:04: Read object is executed.
00:10:06: that why we highlighted there so... We know every times a deseralization process is executed That method and action will be executed.
00:10:18: So give us next slide.
00:10:23: show us the first requirement to exploit this kind of vulnerabilities, that is the gadget chain.
00:10:30: What does it change?
00:10:32: We're starting from a point where we know that Redoject is going to be executed but maybe not something really interesting I mean doesn't make anything dangerous.
00:10:43: so... ...we need to chain with other actions that end up in what you call the sync.
00:10:51: That is something, some interesting action.
00:10:55: So we need to chain different methods of different classes or different objects to be executed.
00:11:05: this demonstrate also We wanted to highlight here that the complexity high expertise in the attacker because they combine some well-known part of gadgets, from public gadgets that are well known but also SAP custom code.
00:11:26: Combining these two worlds The attacker was able to reach a point that sync ended up in Custom Code Execution in the SAP system itself.
00:11:42: So I will hand off to Fabi so he can explain the second requirement.
00:11:47: All right, thanks Patu!
00:11:50: As we have seen as Patu discussed, the attack has now had that malicious or complex gadget chain they could use to craft a malicious object and then when they are able to send this object into the system it gets deserialized.
00:12:06: This is actually the point in time where the payload is triggered brings us to the second requirement, which is actually to look for a certain entry point where they can send their malicious object towards and then it gets deserialized to trigger the actual exploit.
00:12:25: And what the attackers found here was really redangerous entry points because inside the SAP Netview Visual Composer component, the attackers find specific HTTP endpoint that's known as the Metadata Uploader Endpoint which accepts a file and within that file there could have been hidden, that malicious object, the malicious serialized data stream.
00:12:52: Which when arriving at an HTTP endpoint was being deserialised.
00:12:58: And critical factor about this endpoint is also it's available through HTTP without any kind of authentication.
00:13:06: So, any anonymous user in the network who's capable to reach that HTTP endpoint via their network could trigger the exploit so really dangerous now when we look at two public exploits that is circling around the internet since August last year derive some conclusion or make some assumptions about the capabilities of the threat actors actually had.
00:13:36: So what you can see here on this slide are three, quote snippets from that public exploit.
00:13:42: and The first one here shows us That's the attackers for part of the gadget chain that leverage known gadgets as part to explain to us well-known framework that is called Y-SoCereal.
00:13:58: And since Y-Socereal, when writing the output to the malicious byte stream it inserts some hardcoded values into that bitestream and the attackers here as you can see in that code snippet try to replace those known hot coded values with other strings probably classic signature-based detection.
00:14:27: In the second snippet in the middle of this slide, there is another very interesting aspect because here you can see that the exploit actually checks if the target system has a certain version and then depending on the version, the payload is adapted.
00:14:43: This shows us that probably the attackers had access to multiple systems in order to test their exploit.
00:14:50: it make it more stealthy or more reliable than being executed against multiple systems.
00:14:57: And then the last code snippet here on this slide is basically referring these indicators here that this exploit potentially has been leaked by the shiny hunters threat crew.
00:15:13: When we look beyond shiny hunters at other threat actors, yeah were linked to activities around this zero day and We can see different kinds of incident response firms and security providers tracked back activity.
00:15:31: Yeah, a variety of APT groups including nation-state ones but also ransomware groups or even initial access brokers.
00:15:40: So in case of the initial access broker we are speaking about cyber criminals that infiltrated company networks and then sold that network access to other cyber criminals.
00:15:55: When we look at this spectrum of targets different kind of industry sectors were targeted with this exploit, including for example critical infrastructure but also financial services and all of these across multiple regions.
00:16:13: When it comes to the techniques used by the threat actors we are seeing that they really implemented advanced attacks such as encrypting their commands and control communication And yeah, and they primarily uploaded the web shells to the system.
00:16:35: To maintain or establish a remote access that resides even if the system is patched.
00:16:42: so If those web shells are still there The attacker's still had that remote axis.
00:16:49: This actually one of things we want look at now.
00:16:53: We basically wanted provide some transparency around this exploit because On the defense side, we can only protect against the threat actors and the attackers by also really knowing how they act.
00:17:08: And now Pato will show us some attacks scenarios.
00:17:19: We're starting with what I just mentioned Basically what you see most commonly the threat actors using the exploit to upload what is known as a web shell.
00:17:29: So here you see Pato executing the exploit against the target system, and it's really just executing that command.
00:17:43: And As You Can See Very Quickly The Web Shell Got Uploaded To The System.
00:17:48: Here It Is Like A Random Name Of Character For The WebShell File And now it's as simple as accessing that web shell via HTTP, specifying the commands to be executed in this CMD file.
00:18:04: Maybe you can make that perfect.
00:18:06: thanks Patu.
00:18:08: Now You Can See That This Command Is Being Executed As The So-Called SIT ADM User and that user account is a very special user In the SAP world because It's Basically The SAP System Administrator.
00:18:23: Now, as you can see Pato is pulling that entry from the past WD file and You say it's the SAP system administrator.
00:18:32: So under this user context The attackers now execute commands on the server meaning they Can upload files to the server but They also download all SAP related data And one such critical file at the file System level of the server Is the so called sex store dot properties file
00:18:52: which
00:18:52: acts as a credential store and Pato will now basically show us where this file lives.
00:19:01: Yes, one thing that I want to highlight also is we showed the attacker only needs to know the SAP hosting board without it's enough.
00:19:13: so any kind of public SAP system that has these exposed inter-exposed component It's the only necessary requirement.
00:19:25: I mean, they don't need have any kind of users.
00:19:27: so Only host and port is enough to execute a web shell.
00:19:31: Before it was showing a little bit about there The place in which usually their web shells reside.
00:19:37: but also here we have access to this.
00:19:40: I mean We can consume or lease these file.
00:19:43: Also i can perform for instance To bring the content off that file quickly Sorry, I have a mistake in the command and remove this one.
00:19:57: Yes!
00:19:58: I can print out information from that file.
00:20:03: for terms of speed up a little bit this presentation i already here these two secure stores which contains passwords credentials to be more precise the database.
00:20:21: So this Python script is well known from eight years ago, more or less so it's some we are using also public scripts to decrypt disinformation.
00:20:34: uh...so as we can see with these files We can obtain the credentials for Database and From there For instance I Can execute other queries To exfiltrate data or to manipulate data.
00:20:51: I will do that, of course i have recreated the SQL query in order to be also quicker.
00:21:01: so here I can show for instance this is a PIPO system So it has some information that is transmitted into different SAP systems.
00:21:14: and I have an example.
00:21:19: As we mentioned, this is some data in transit.
00:21:23: So I'm not actually modifying the payment itself but to show you that i can update This information In this case okay?
00:21:36: Okay, this Is the attacker I will replace.
00:21:37: for something else I would say ok uh...I Will put.
00:21:42: fabi was here in order To change a little bit these.
00:21:49: this row was affected, so I will re-query the information and should be okay.
00:22:04: just to make a smile Fabio little bit here with that update.
00:22:13: And after all as final step i want show you something extra stop the SAP system.
00:22:26: So I will execute this command and have an OK here so that it was properly executed, if i access to the SAP System again we'll work for a couple of minutes.
00:22:44: uh... in the meantime I can click a little bit.
00:22:48: let's say once you go here still working to the web shell quickly or let me refresh.
00:23:01: And yes, as you can see, this system is not available anymore.
00:23:07: so we can query some information and update it from database because user is highly privileged in regards of SAP system.
00:23:22: with this public vulnerability, the SAP system and okay.
00:23:28: The availability is gone.
00:23:31: so I think for you also it's really important.
00:23:38: beside technical details i will stop sharing my screen now So we can go back to their presentation.
00:23:46: How do or the remedies and defense of these highly critical?
00:23:51: And with high impact vulnerability?
00:23:55: All right, thanks Pato.
00:23:57: Thanks for the demo.
00:23:59: So yeah as Pato already mentioned SAP are released patches specifically addressing this vulnerability and this endpoint but our team members And two of us we tried to understand if there were other like entry points But also gadgets attacker may use to run similar attacks.
00:24:24: So, throughout this research last year we identified a set of additional vulnerabilities as you can see here on the slide including new entry points that were also partially available without authentication or even a new gadget that attackers may use to craft their gadget chain.
00:24:45: And we reported all of these to SAP following the responsible disclosure process, and SAP was super fast in developing additional patches for those issues we found.
00:24:58: And for specific security nodes I will now hand back to Pato.
00:25:05: Yes as far you mentioned there is a lot of notice related to this vulnerability because really quick answer back from SAP in order to protect their customers with this, or in regards of these but also the extra entry points and gadgets that we found on our research labs.
00:25:29: So here we summary all these notes and highlighted one specifically because it protects not only this vulnerability, but maybe many other future vulnerabilities.
00:25:43: because as the title says digitalization class filtering with which it means that remember they got to change.
00:25:50: That we present you.
00:25:51: that requires several classes chaining all together in order to execute some dangerous stuff?
00:25:58: Well these notes explain how to filter or protect our block.
00:26:03: Some of these classes should be digitalized.
00:26:06: so if the Java virtual machine tries to digitalize one of these classes, based on that configuration will be restricted.
00:26:15: Also we highlight another note that shows you how to find some indicators compromised specifically in web shells.
00:26:29: so scan these vulnerabilities, scan the indicators of compromise.
00:26:35: Last but not least we put it here, Deonapsis join tool with Mendian that is open source in order to protect Not only our customers But also the community.
00:26:46: That help you in that task.
00:26:49: Again scanning for a vulnerable system Also in scanning for indicators Of compromise and regards of this CBEs.
00:26:59: So now we want to show you how OP protects you against the DCV with a pre-recorded demo about the alerts and everything is shown in our platform.
00:27:14: I will share the recording.
00:27:22: Hello, good morning.
00:27:24: here We have Onapsis Platform.
00:27:27: who's able go beyond CBEs that we've been talking today and how Anapsis is helping its customers on detecting, and protecting from these CBEs.
00:27:42: And other CBE's right?
00:27:43: So first we'll go directly to what the proposal today for those CBE s. so one of two bigger things.
00:27:52: with an Apsis We have our threat intel center here.
00:27:55: you will see those CVs that we have been talking today, they were between April May July September October November and January.
00:28:04: But let's focus on what we are providing to our customers right?
00:28:08: So for example, our customers are easily able to access on the active exploitation of critical vulnerabilities.
00:28:22: Actually, the last update was in August twenty-seven with all the required CBEs etc.
00:28:29: And then if we click here... We will have some explanation or description of what is about those CBE's.
00:28:36: that's what Michael Lief has been explaining today and we have three one three two four under four two nine nine etc.
00:28:47: But then what is important for our customers?
00:28:50: It's, What are the affected systems?
00:28:52: right?
00:28:53: so here we see that on The time that we released and we scan it.
00:28:58: So you will see quickly That those CVs Are one of my systems.
00:29:03: actually in this environment We have system DJ-for who has both cvs.
00:29:12: It's effective with both CVE etc.
00:29:15: We already know that those are exploitable, right?
00:29:19: Are being exploitable as I've already explained and That's why we are marking us a bomb to allow our customers To really prioritize those ones.
00:29:32: Okay So for example for the CBE- Twenty twenty five three one three four if we're going deeper we will be able to see, first of all let's go for the technical solution right where what we are providing it is a description.
00:29:48: A Description Of What Is A Visual Composer?
00:29:53: What's The Issue That We Are Checking And Why We Are checking ?
00:29:56: We Are Also Providing A Business Impact.
00:29:59: So We Are Allowing You To Go To The Management and Share The Information business impact if we are not mitigating this issue as soon as possible.
00:30:14: and then technical solution.
00:30:16: Actually, it's kind of easy in these cases because it is a Java system.
00:30:22: so we need to apply the information which is in these three five nine four one four two which is usually an SCA, which needs to be uploaded into the system.
00:30:36: Okay?
00:30:37: We are also having external references uh...which applies two different sub-security nodes.
00:30:43: if our customers it's willing to check the sub security notes Also providing a CVS score and attack vector associated with that.
00:30:59: furthermore probably you don't have the capabilities or the customer doesn't have, the capability is to correct that right away.
00:31:07: Usually there's downtime required etc.
00:31:10: so we are allowing our customers create right away a compensating control.
00:31:17: What does it mean?
00:31:18: Compensating control would mean that we actively will add this system into the defend rules, so you'll be able to check in your logs if any attack could compromise against.
00:31:35: using this vulnerability is as easy.
00:31:40: create and associating this compensated control, now we see that the defend coverage everything in screen.
00:31:46: So it means even though we did not patch right?
00:31:50: We have to compensate in control in place.
00:31:54: so we are alerting you if something is happening.
00:31:58: Also, if you want to assign it to a user.
00:32:01: You are able to assign into the users.
00:32:04: so for example one of my colleagues Brian will be taking care of that and then he'll set proper status like open close or in progress.
00:32:16: Also, if you say that will be corrected a couple of weeks when we are able to shut down the system and apply the patch then you can accept it until one day...a couple of week from now on okay?
00:32:31: And how do you see this?
00:32:33: in the defense side most customers are integrating with the majority we're integrating which are in the market, and most of the SOC teams working based on those CM information.
00:32:50: So we're fitting that information to these CMs.
00:32:54: then they will be able see it's information.
00:32:57: That'll probably appear as a not-all event.
00:33:00: I can give you an example...I don't have any attack against this system for example but here one which is an access to unauthenticated URL without credentials.
00:33:14: So what we are providing, it's the different attacks that we have seen in this system.
00:33:23: We're giving the root cause.
00:33:25: What Is The Solution?
00:33:27: In our case will be applying related patch that SAP release but also and somebody is trying to exploit this vulnerability, we will deliver it to the CM.
00:33:43: The raw event details which when was extracted or executed against with ERP system
00:33:53: etc.,
00:33:55: all information required for the song team to interact with SAP people mitigation process and the incident response against that.
00:34:10: So thank you very much!
00:34:19: All right, great.
00:34:21: so now we're coming to an end of this session.
00:34:25: We wanted to quickly wrap up things and also derive some learnings.
00:34:30: What can we actually learn from what happened last year?
00:34:34: And how can we apply that in the future, those learnings?
00:34:38: so basically...we have seen that attackers are advancing when it comes to attacking SAP software systems.
00:34:46: The sophistication level of the zero-day exploitation we've seen last year is something.
00:34:54: were capable of developing an exploit that was specifically tailored to SAP system software.
00:35:07: They leveraged a specific SAP software library or vulnerabilities in the library, to craft their exploits and the gadget chain.
00:35:17: And this is something we haven't seen before, and it clearly shows us that for us as SAP defenders and operators.
00:35:25: We have to really make sure that we integrate SAP software systems in our patch management process.
00:35:38: patch implementation in the SAP space.
00:35:42: And even if we are looking into the cloud and our rise journey, for example... We have to understand that there is a shared security responsibility module and we still have to make sure that we keep our system secure there.
00:36:00: With that being said I think close to the end of our sessions, here are some links and resources for you to achieve a little bit more information about what we discussed today.
00:36:13: And yes now it's time for questions and I hope we can give you some answers.
00:36:32: As Fabian said, we have some time for Q&A and we already had a few questions coming in.
00:36:37: So let me start with the first one.
00:36:40: What are primary indicators of compromise that should be looked at in our SAP Logs?
00:36:53: Do you want to take that part or
00:36:54: not?
00:36:56: You're on mute We can't hear you.
00:36:57: Sorry
00:36:58: I was muted.
00:36:58: Now where do you go again?
00:37:05: Yes We mentioned that most typically the starting point is a web shell, but it could be... I mean we have found a variety of different type attacks.
00:37:15: More complex or more simpler ones.
00:37:19: so for instance we had found encrypted web shells also besides the most typical one that was shown with public exploit.
00:37:28: So The tool in a good way to identify these IOCs, also inspect the logs.
00:37:37: We have several blog posts.
00:37:39: in regards of DCBE again the tool that patch notes and well off course.
00:37:46: yeah OP has all this knowledge included on platform.
00:37:52: so basically main IOC would be web shell and trace file from Java system.
00:38:03: Hope that helped answer my question.
00:38:08: Thank you, then I will go to the next one.
00:38:11: where does this vulnerability sit on the risk spectrum relative to recent SAP critical updates?
00:38:23: Okay i can take that one.
00:38:26: so yeah first of all it's important When the first Fred Actors starting exploiting this vulnerability, there was no patch available which made it very critical compared to vulnerabilities that are already patched in our so-called end days.
00:38:50: In case of these issues or a zero day being actively exploited and then after SAP released an emergency patch super quickly.
00:39:03: When we look at the security notes that are released in the latest month or years, on that end I think last year was one of the peaks.
00:39:15: In terms of the number of security nodes being released with over two hundreds and still this year now considering for Patch Tuesdays.
00:39:28: We have
00:39:28: already seen I don't know, I think sixty vulnerabilities or more being patched.
00:39:33: so there is this like steady increase we are observing right now and that's also... So the steady increase in a number of vulnerabilities being patchned?
00:39:44: That's also why i would like to emphasize again to prioritize patch management including SAP software systems in the patch management cycle.
00:39:55: And when it comes to criticality, I think also this year we have seen some critical vulnerabilities and that's again underlines why its so important.
00:40:10: consider SAP software in the Patch Management process?
00:40:21: Then I would say that brings us to time.
00:40:24: For any other questions in the chat, we will be reaching out to you individually to get those answered as well.
00:40:30: Also just a brief reminder for everyone listening That this session has been recorded and link of recording will email afterwards.
00:40:38: And with that thanks again.
00:40:40: our speakers and everybody joining today Have a good day!
00:40:44: Thank You.