Threat actors target vulnerable critical SAP applications

Threat actors target vulnerable critical SAP applications

Security experts from Onapsis and SAP have released a new threat intel report for SAP customers that warns of cyber threat actors targeting unprotected SAP applications.

SAP develops enterprise software to help organizations manage business operations, customer relations and supply chain management.

The report includes details on multiple threat vectors as well as guidance to help mitigate those threats.

“SAP and Onapsis strongly advise organizations to take immediate action including swift application of the relevant SAP security patches and a thorough review of security configurations of their SAP landscapes, as well as performing a compromise assessment and forensic investigation of at-risk environments,” Onapsis wrote.

SAP has made patches available for months, if not years, to mitigate these threats. However, SAP and Onapsis continue to spot organizations that still have not applied the patches.

A few of the key findings from the Onapsis report include:

  • Threat actors are “active, capable and widespread” — examples include evidence of more than 300 automated exploitations that leverage seven SAP-specific attack vectors and more than 100 hands-on-keyboard sessions.
  • Window to patch is small — actors weaponize critical SAP vulnerabilities in 72 hours and can compromise newly provisioned, unprotected SAP apps in cloud (IaaS) environments in less than 3 hours.
  • Exploitation can lead to full control of unsecured SAP applications and lead to severe security and compliance impact.

SAP mitigations

One of those vulnerabilities patched in July 2020 was dubbed RECON (CVE-2020-6287), that affected SAP NetWeaver AS for Java component , which misses an authentication check. As a result, hackers could create administrative users and change configurations on affected SAP systems.

Security researchers from Onapsis Research Labs and the SAP Security Response Team jointly discovered the RECON vulnerability that affected nearly 40,000 SAP customers and 2,500 internet-facing SAP servers.

A second threat was related to unsecure configurations of SAP servers and was mitigated May 2, 2019. In a report published by Onapsis, organizations were warned of threat actors using exploit tools such as “10KBLAZE” to target internet-facing SAP servers with unsecure configurations. As a result, Onapsis and SAP provided mitigation guidance to secure configurations to include the SAP Gateway ACL, SAP Router secinfo, and SAP Message Server.

Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) issued previous alerts on older SAP threats and mitigations, such as malicious cyber Activity targeting ERP Applications (July 25, 2018) and exploitation of SAP business applications (May 11, 2016).

SAP customers are strongly encouraged to download the Onapsis report and apply necessary patches and configurations if not already done so.

Related Articles