A China-linked hacker group, identified as Earth Lamia, has been attributed to a series of cyberattacks exploiting a critical security flaw in SAP NetWeaver, affecting organizations in Brazil, India, and throughout Southeast Asia.
According to Trend Micro’s Joseph C Chen, the hackers predominantly target SQL injection vulnerabilities to gain access to SQL servers of targeted organizations. The group has been linked to various known vulnerabilities impacting public-facing servers across countries like Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. Their activity has raised substantial concerns regarding cybersecurity in the region, as they have been active since 2023.
Recent analyses reveal that Earth Lamia’s tactics involve deploying post-exploitation tools such as Cobalt Strike and utilizing legitimate programs to manipulate Windows event logs. Notably, there have also been attempts to deploy Mimic ransomware on Indian organizations; however, these efforts have seen little success as the malware frequently fails to execute.
Trend Micro emphasized the group’s evolving focus, shifting from primarily targeting financial services to now include logistics, online retail, IT companies, universities, and government entities. Their sophisticated methods include utilizing backdoors like PULSEPACK, demonstrating a concerning advancement in their attack strategies which may indicate ongoing development of their cyber capabilities.