Active Cyberattacks on Business-Critical SAP Applications
SAP and Onapsis partner to release new threat intelligence on active threats
Defend your Business-Critical SAP Applications from Active Threats
On April 6, Onapsis and SAP released a new threat intelligence report to help SAP customers protect from active cyber threats seeking to specifically target, identify and compromise organizations running unprotected SAP applications, through a variety of cyberattack vectors. SAP and Onapsis strongly advise organizations to take immediate action including swift application of the relevant SAP security patches and a thorough review of security configurations of their SAP landscapes, as well as performing a compromise assessment and forensic investigation of at-risk environments.
The U.S. Department of Homeland Security’s CISA and Germany’s Federal Office for Information Security (BSI) have also developed and released alerts and notifications on this matter.
SAP promptly patched all of the critical vulnerabilities observed being exploited, and have made them available to customers for months, and years in some cases. Unfortunately, SAP and Onapsis continue to observe many organizations that have still not applied the relevant mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.
We highly encourage you to download the threat report to assess if you are at risk, and which actions to take immediately to protect your business. This report also details the specific techniques, tools and procedures (TTPs) observed by our experts, empowering defenders to respond to this activity as quickly as possible.
Some of the key findings in this threat intelligence report include:
- Threat actors are active, capable and widespread
Evidence of 300+ automated exploitations leveraging seven SAP-specific attack vectors and 100+ hands-on-keyboard sessions from a wide range of threat actors. Clear evidence of sophisticated domain knowledge, including the implementation of SAP patches post-compromise.
- The window for defenders is small
Critical SAP vulnerabilities being weaponized in less than 72 hours of a patch release and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.
- Threats have both security and compliance impact
Exploitation would lead to full control of unsecured SAP applications, bypassing common security and compliance controls, enabling attackers to steal sensitive information, perform financial fraud or disrupt business-critical business processes by deploying ransomware or stopping operations. Threats may also have significant regulatory compliance implications, including SOX, GDPR, CCPA and others.
What To Do Next
FREQUENTLY ASKED QUESTIONS
The Onapsis Research Labs is sharing real-world observations and cybersecurity intelligence that reveal a complex threat landscape targeting business-critical SAP applications. From mid-2020 until publication of this report, Onapsis researchers have recorded more than 300 successful exploit attempts on SAP instances originating from 20 different countries. This significant exploit activity was related to multiple CVEs and insecure configurations.
Over the past several months, the Onapsis Research Labs has been observing constant and relentless malicious threat activity against known vulnerabilities (for which SAP has provided patches) and insecure configurations in SAP mission-critical applications and systems. This research provides the first conclusive evidence that sophisticated threat actors are actively exploiting SAP systems in the wild.
Yes, organizations should be concerned and must take immediate actions to determine if their SAP systems are still vulnerable (have not applied the patches) and if there are indicators of compromise. As an example, with the RECON vulnerability (CVE-2020-6287), which was identified by the Onapsis Research Labs and patched by SAP, Onapsis observed mass scanning for vulnerable systems within three days of the patch release, functional exploit code posted on GitHub after just four days, and confirmation of successful exploit code available to create an unauthorized admin user in just nine days. If the patch for RECON was not applied within that time period, it is highly likely those organizations were compromised.
This threat intelligence report is highlighting multiple known and existing SAP vulnerabilities and insecure configurations. By exploiting these vulnerabilities and misconfigurations, cyber actors can potentially gain unauthenticated access and/or set up admin user accounts which would enable them to access any SAP application, including but not limited to ERP, CRM, SCM, PLM, HCM, BI and Solution Manager (SolMan).
Yes, for years Onapsis and SAP have worked closely together to continuously improve the security of SAP software and solutions. In fact in 2020, the Onapsis Research Labs helped the SAP security team in detecting and solving four of the six vulnerabilities associated with HotNews notes that were released. And, in total, the Onapsis Research Labs supported SAP in patching 38 vulnerabilities.
The Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intelligence affecting mission-critical applications from SAP, Oracle, Salesforce and others. They have discovered over 800 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research.
For this threat intelligence report, the Onapsis Research labs observed these threats against unpatched and insecure SAP applications in the wild. Exact methods of observations are confidential for the purpose of ensuring that Onapsis can continue to monitor activity on these known vulnerabilities, insecure configurations and others to help protect SAP customers.
Onapsis research confirms not just the possibility, but the reality that the threat to unpatched and insecure mission-critical SAP applications is pervasive and ongoing, and requires immediate community-wide attention and collaboration to track, identify, defend against and neutralize these threats.
Although internet-exposed systems are more likely to be exploited and compromised, we observed strong evidence of persistent threats that exist in large networks and are equipped to compromise SAP systems from the inside. Beyond malicious activity targeting unpatched SAP systems, we also observed evidence of attacks against known weaknesses in application-specific security configurations, including bruteforcing of high-privilege SAP user accounts. Further, we have captured attempts at privilege escalation for OS-level access, expanding potential impact beyond SAP systems and applications.
Additionally, recent attacks such as those on Solarwinds have put thousands of organizations at increased risk.
If an unauthenticated attacker is able to gain access to an SAP system, the impact could be critical to catastrophic in some situations. Technically speaking, an attacker would be able to create a new user in the vulnerable SAP system with maximum privileges (Administrator role), bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions). This means that the attacker could gain full control of the affected SAP system, its underlying business data and processes.
Having administrative access to the system would allow the attacker to manage (read/modify/delete) every record/file/report in the system. Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance. Exploitation of the vulnerability allows an attacker to perform several malicious activities, including:
- Steal personally identifiable information (PII) from employees, customers and suppliers
- Read, modify or delete financial records
- Change banking details (account number, IBAN number, etc.)
- Administer purchasing processes
- Disrupt the operation of the system by corrupting data or shutting it down completely
- Perform unrestricted actions through operating system command execution
- Delete or modify traces, logs and other files
Many SAP mission-critical applications are likely to be under the purview of specific industry and governmental regulations, financial and other compliance requirements. Any enforced controls that are bypassed via exploitation of threats discussed in this report might cause regulatory and compliance deficiencies over critical areas such as:
- Data Privacy (e.g. GDPR, CCPA) due to unauthorized access of protected data, regardless of exfiltration
- Financial Reporting (e.g. Sarbanes-Oxley) due to unauthorized changes to financial data or bypassing of internal controls causing inaccurate financial reporting
If you are an Onapsis customer, you can use the Assess product in The Onapsis Platform to automatically assess your SAP landscape for unpatched systems, vulnerabilities and configuration issues. The Assess product will enable you to generate a report ranking any found issues by criticality and provide mitigation guidance in order to prioritize and streamline remediation.
If you are not an Onapsis customer, Onapsis offers a complementary cyber risk assessment that will show you where you have risk in your SAP landscape. Request a cyber risk assessment here. Additionally, SAP Basis teams can use SAP Solution Manager (SolMan) to generate SAP Security Notes reports that will be a more manual process.
It depends on how soon you were able to apply the patches. In the above question, “Should organizations using SAP be concerned?,” it was shown that functional public exploits targeting the RECON vulnerability were available only four days after SAP issued the patch. If your patch cycles are not immediate or are scheduled for specific maintenance windows, you should check for indicators of compromise on your organization's SAP systems.
Additionally, Onapsis observed bruteforce activities by cyber actors targeting well-known configuration issues such high-privileged admin accounts. You must check for records of rogue admin accounts created on SAP systems.
Onapsis strongly recommends that your organization perform a compromise assessment on all SAP systems that could be vulnerable to CVEs mentioned in the report.
The Onapsis Research Labs observed cyber actors with advanced knowledge of SAP logging into SAP systems and gaining access to critical applications, such as ERP, Supply Chain, CRM, PLM, HCM and BI. Because these applications contain personally identifiable information (PII), customer records, financials, intellectual property and more, there is a high probability that these sophisticated attackers know what they are looking for and where to find it.
The Onapsis Research Labs has observed activity from many foreign countries. Threat actors from other countries have also been observed logging in from the U.S. making it harder to detect exactly where the threats are coming from. At this time, the Onapsis Research Labs cannot definitively state that the malicious activity is related to nation state attacks.
Onapsis has observed both automated and more sophisticated attacks. Some of the most sophisticated attacks have shown that these cyber actors have an advanced understanding of SAP. In some cases, Onapsis has seen cyber actors exploit an unpatched system and later apply the patch to cover their tracks and maintain the access they were able to gain.
Should our organization be concerned about other vulnerabilities and configuration issues not mentioned in this briefing?
Yes, this report only focuses on a few critical issues. On a monthly basis, SAP releases security notes to help keep its customers protected from vulnerabilities. It is the responsibility of the organization to properly apply the patches from SAP and ensure configurations settings are secure.
The Onapsis Platform provides core product functionality to keep SAP mission-critical applications protected. With our Assess product, users can automate assessments to identify vulnerabilities and misconfigurations on SAP systems, understand the risk and business impact and prioritize remediation. With our Defend product, users can continuously monitor for active threats and misuse, set alerts to quickly respond to malicious activity and integrate with SIEMs.
Onapsis is also offering complimentary product and professional services offerings for customers to ensure they are properly protecting their mission-critical SAP applications. Additionally, Onapsis is offering open source tools to run a rapid assessment for vulnerable systems and detect for indicators of compromise (IOCs). These tools are available to download for free at the Onapsis github repository: https://github.com/Onapsis.
As mentioned in the above question, “What should we do to check for these vulnerabilities and configuration weakness?,” Onapsis offers a complimentary Cyber Risk Assessment service to identify existing vulnerabilities and misconfigurations in SAP systems. Additionally, for prospective customers, Onapsis is offering product trial and services packages to help protect your mission-critical SAP application today.
Additionally, Onapsis is offering open source tools to run a rapid assessment for vulnerable systems and detect for indicators of compromise (IOCs). These tools are available to download for free at the Onapsis github repository: https://github.com/Onapsis.
Onapsis cybersecurity experts from the Onapsis Research Labs and professional services organization are available to help. We suggest that you contact us for a rapid assessment of your SAP applications.