A sophisticated cyber threat group, identified as Earth Lamia, has been actively exploiting critical vulnerabilities in SAP NetWeaver and Microsoft SQL Server to infiltrate organizations across Brazil, India, and Southeast Asia since 2023. This group, believed to have ties to China, has been leveraging these security flaws to gain unauthorized access to sensitive systems and data.
Exploitation of SAP NetWeaver Vulnerability
In early 2025, Earth Lamia targeted a critical unauthenticated file upload vulnerability in SAP NetWeaver, designated as CVE-2025-31324. This flaw allows attackers to upload malicious files without authentication, potentially leading to full system compromise. The group utilized this vulnerability to deploy reverse shells, establishing persistent access to compromised systems. The exploitation of this vulnerability underscores the importance of timely patching and vigilant monitoring of enterprise resource planning (ERP) systems.
Targeting Microsoft SQL Server and Other Vulnerabilities
Beyond SAP NetWeaver, Earth Lamia has been exploiting SQL injection vulnerabilities in web applications to access Microsoft SQL Servers within targeted organizations. By injecting malicious SQL code, the attackers can manipulate databases, exfiltrate data, and escalate their privileges within the network. Additionally, the group has taken advantage of various known vulnerabilities in public-facing servers, including:
– CVE-2017-9805: A remote code execution vulnerability in Apache Struts2.
– CVE-2021-22205: A remote code execution flaw in GitLab.
– CVE-2024-9047: An arbitrary file access vulnerability in the WordPress File Upload plugin.
– CVE-2024-27198 and CVE-2024-27199: Authentication bypass and path traversal vulnerabilities in JetBrains TeamCity.
– CVE-2024-51378 and CVE-2024-51567: Remote code execution vulnerabilities in CyberPanel.
– CVE-2024-56145: A remote code execution vulnerability in Craft CMS.
By exploiting these vulnerabilities, Earth Lamia has been able to infiltrate various sectors, including logistics, online retail, IT companies, universities, and government organizations.
Tactics and Tools Employed
Earth Lamia employs a range of sophisticated tools and techniques to maintain access and evade detection within compromised networks. These include:
– Post-Exploitation Frameworks: Utilizing tools like Cobalt Strike and Supershell to establish command and control channels.
– Proxy Tunnels: Deploying utilities such as Rakshasa and Stowaway to create proxy tunnels, facilitating lateral movement within networks.
– Privilege Escalation Tools: Employing tools like GodPotato and JuicyPotato to escalate privileges on compromised systems.
– Network Scanning Utilities: Using Fscan and Kscan to identify additional targets within the network.
– Log Manipulation: Leveraging legitimate programs like `wevtutil.exe` to clear Windows event logs, thereby obscuring their activities.
In some instances, the group has attempted to deploy Mimic ransomware binaries to encrypt victim files. However, these efforts have often been unsuccessful, with the attackers seen attempting to delete the binaries after deployment.
Geographical Focus and Evolution of Targets
Initially, Earth Lamia concentrated its efforts on financial institutions, particularly those related to securities and brokerage. However, their focus has since shifted to a broader range of industries, including logistics, online retail, IT companies, universities, and government organizations. The group’s primary targets are located in Brazil, India, and Southeast Asian countries such as Indonesia, Malaysia, the Philippines, Thailand, and Vietnam.
Recommendations for Mitigation
Organizations are advised to implement the following measures to mitigate the risk posed by Earth Lamia and similar threat actors:
1. Apply Security Patches Promptly: Regularly update and patch all software, especially ERP systems like SAP NetWeaver and database servers like Microsoft SQL Server, to address known vulnerabilities.
2. Conduct Regular Security Assessments: Perform comprehensive security assessments to identify and remediate potential vulnerabilities within the organization’s infrastructure.
3. Implement Network Segmentation: Segment networks to limit lateral movement by attackers and protect critical systems from unauthorized access.
4. Monitor for Anomalous Activity: Utilize intrusion detection and prevention systems to monitor for unusual activity that may indicate a security breach.
5. Educate Employees: Provide ongoing cybersecurity training to employees to raise awareness about phishing attacks and other common threat vectors.
By adopting these proactive measures, organizations can enhance their security posture and reduce the likelihood of successful attacks by sophisticated threat actors like Earth Lamia.
