Ongoing attacks are targeting unsecured mission-critical SAP apps. Is Your Organization Protected?

Threat actors are targeting mission-critical SAP applications unsecured against already patched vulnerabilities, exposing the networks of commercial and government organizations to attacks.

Over 400,000 orgs worldwide and 92% of Forbes Global 2000 use SAP’s enterprise apps for supply chain management (SCM), enterprise resource planning (ERP), product lifecycle management (PLM), and customer relationship management (CRM).

SAP and cloud security firm Onapsis warned of these ongoing attacks today, and have worked in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and Germany’s cybersecurity agency BSI to warn SAP customers to deploy patches and survey their environments for unsecured apps.

“We’re releasing the research Onapsis has shared with SAP as part of our commitment to help our customers ensure their mission-critical applications are protected,” Tim McKnight, SAP Chief Security Officer, said. “This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments, and proactively assessing them for signs of compromise.”

According to an alert issued by Cyber Security & Infrastructure Security Agency (CISA) today, organizations impacted by these attacks could experience:

• theft of sensitive data,
• financial fraud,
• disruption of mission-critical business processes,
• ransomware, and
• halt of all operations.

Patching vulnerable SAP systems should be a priority for all defenders since Onapsis also found that attackers start targeting critical SAP vulnerabilities within less than 72 hours, with exposed and unpatched SAP apps getting compromised in less than three hours.

Targeted SAP vulnerabilities

The threat intelligence collected and published by Onapsis in coordination with SAP shows that they “are not aware of known customer breaches” resulting from this malicious activity.

However, it reveals that SAP customers still have unsecured applications in their environments visible via the Internet, and exposing the organizations to infiltration attempts via attack vectors that should’ve been patched years ago.

Since mid-2020, when Onapsis started recording exploitation attempts targeting unpatched SAP apps, the firm’s researchers found “300 successful exploitations through 1,500 attack attempts from nearly 20 countries between June 2020 and March 2021.”

The threat actors behind these attacks have exploited multiple security vulnerabilities and insecure configurations in SAP applications in attempts to breach the targets' systems.

In addition, some of them have also been observed while chaining several vulnerabilities in their attacks to “maximize impact and potential damage.”

“Observed exploitation techniques would lead to full control of the unsecured SAP applications, bypassing common security and compliance controls, and enabling attackers to steal sensitive data, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,” Onapsis explained. “With remote access to SAP systems and mission-critical applications, the need for lateral movement is nearly eliminated, enabling attackers to reach and exfiltrate business-critical data more quickly.”

The vulnerabilities and attack methods used throughout this ongoing malicious activity highlight in the joint threat report published by Onapsis are:

• Brute-force attacks targeting unsecured high-privilege SAP user account settings
• CVE-2020-6287 (aka RECON): a remotely exploitable pre-auth vulnerability that enables unauthenticated attackers to take over vulnerable SAP systems.
• CVE-2020-6207: maximum severity pre-auth vulnerability that could also lead to the takeover of unpatched SAP systems (fully-working exploit was released in January 2021, on GitHub). Onapsis has seen a significant increase in exploit activity targeting this bug since the exploit was published, detecting 756 probes from 34 distinct IP addresses.
• CVE-2018-2380: enables threat actors to escalate privileges and execute OS commands after exploitation, allowing them to gain access to the database and to move laterally across the network (34 incoming exploitation attempts from 10 distinct IPs were detected by Onapsis, with web shells being deployed after successful exploitation)
• CVE-2016-95: attackers can exploit this bug to trigger denial-of-service (DoS) states and gain unauthorized access to sensitive information.
• CVE-2016-3976: remote attackers can exploit it to escalate privileges and to read arbitrary files via directory traversal sequences, leading to unauthorized disclosure of information. Exploits that can be used to fully compromise unpatched and exposed SAP systems were publicly released in 2016.
• CVE-2010-5326: allows unauthenticated threat actors to execute OS commands and access the SAP app and the connected database, thus gaining complete and unaudited control of the SAP business information and processes. (206 exploitation attempts detected since mid-2020, coming from 10 unique IP addresses)

We are Here for You.

You don’t have to be an expert in security to protect your business. You just need a simple unified security platform and a partner who puts you first.

With over 33 Years in the Information Security industry, Computech has got you covered with an array of Security Solutions that will protect your digital business with continuous threat protection. Simply and effectively. So, you can get back to building your business.

Ready to get started? We are giving you a Free Session with our Info-Sec Consultants to learn how to get complete protection for your business and choose the most suitable security solution for your business needs.

Get Your Free Consultation

Contact Us

Feel free to inquire about our IT Solutions, we will be glad to assist you.