10KBLAZEProtection from a Cyber Exploit With the Power to Burn Financial Statements

10KBLAZE is the name that Onapsis uses to refer to a set of publicly-released SAP exploits. The name was chosen given the high risk that these exploits carry to potentially affect critical business information and processes. The criticality of these business risks can lead to disclosure requirements to the U.S. Securities and Exchange Commission (SEC) in the annual financial reporting: the Form 10-K.

According to the US-CERT, “Alerts provide timely information about current security issues, vulnerabilities, and exploits.” These alerts are issued selectively by the Department of Homeland Security detailing specific risks and threats that could affect global organizations. Only a handful of alerts are issued on a yearly basis and only the most significant risks and threats are addressed through these alerts. This is the second alert of 2019 and the third alert about ERP applications since 2016.

US-CERT Alert AA19-122A was created by the Department of Homeland Security due to the critical nature of the 10KBLAZE exploits, which were made publicly available on April 19th, 2019. The Alert was created to warn organizations about these exploits and to provide additional guidance around mitigation steps that should be taken in order to reduce the risk of exploitation and compromise of SAP data.

The alert is especially important for SAP customers to understand how critical SAP configurations could be to their overall security posture if not properly maintained and secured. It is important to understand what the status quo is around SAP cybersecurity in your organization and get internal stakeholders aligned towards the goal of securing SAP applications.

The exploits referenced in Alert AA19-122A affect SAP NetWeaver systems, which is the foundational platform for the most critical business applications that organizations have. If your organization runs applications such as the SAP ERP (ECC), SAP S/4HANA, SAP Solution Manager, The SAP Business Suite or any other NetWeaver-based system, you need to make sure the proper processes are in place to ensure your organization has visibility and control around cybersecurity risks in your SAP applications.

Based on the publicly available 10KBLAZE exploits, DHS provides additional details around the components that need to be further secured such as the Message Server and the SAP Gateway. In addition, recommendations to reduce the risk of exploitation of SAP applications follow:

• Organizations must have the ability to secure the configuration of SAP applications which means visibility, monitoring and prevention capabilities on critical SAP configurations
• Organizations must have visibility across SAP applications, especially of those that are internet facing, to detect and prevent security risks

The vulnerabilities highlighted by the Alert have been known for years and are documented by SAP through a number of SAP Security Notes, as listed in the references section of the alert. Organizations can leverage SAP Security Notes #1408081, #821875 and #1421005 for additional details about how to securely configure the SAP Message Server and the SAP Gateway.

Yes, the Onapsis Security Platform offers organizations the opportunity to eliminate risks related to these exploits and misconfigurations in three ways:

1. by determining their level of exposure
2. by monitoring and detecting possible attacks using this exploit while misconfigurations are being addressed
3. by adjusting their configurations and locking them in place to prevent exposure in the future

10KBLAZE and the accompanying US-CERT Alert AA19-122A are more evidence of the need for organizations to address cybersecurity across ERP applications in a programmatic way. Organizations need to provide governance and control of ERP risks to their IT Security departments and visibility for all internal teams. Historically the security of ERP applications has been regarded as a synonym for Segregation of Duties, roles and profiles, which led to the existence of a gap between the security policies and guidelines defined by IT Security across the organization.

Traditional audits do not typically look into these types of risks. We anticipate external audit firms will extend their current controls (which are mostly related to Segregation of Duties) to address SAP cybersecurity risks in the near future. The status-quo is clearly not sustainable, as these risks can be exploited to modify financial information, steal sensitive data and disrupt business-critical processes. We highly recommend that organizations evaluate their internal audit process to ensure they are incorporating these additional types of controls and manage business risk appropriately in advance of this happening.

On April 23, 2019 the Onapsis Research Labs became aware that several new exploits targeting SAP Gateway and Message Server misconfigurations were publicly released. These configurations are known and have been reported by SAP® and Onapsis to customers via SAP Security Notes and Threat Advisories. The public release of these exploits significantly increases the likelihood of occurrence of the risk. Now both external and internal attackers (from state-sponsored groups to disgruntled employees) are able to abuse these misconfigurations with high business impact.After analyzing hundreds of real SAP customer implementations, Onapsis found that around 90% of the SAP systems were vulnerable before the Onapsis risk assessment or Onapsis Security Platform implementation. The Onapsis team believes that this risk is significant enough to bring public awareness to the issue and notify SAP customers of the hidden threat that might exist in their networks.

All SAP NetWeaver Application Server (AS) and S/4HANA systems are potentially affected since both Message Server and Gateway exist in every SAP environment. Some of the products affected include the SAP Business Suite, SAP ERP, SAP CRM, SAP S/4HANA, SAP Solution Manager, SAP GRC Process and Access Control, SAP Process Integration/Exchange Infrastructure (PI/XI), SAP Solution Manager, SAP SCM, and SAP SRM, among others.

Vulnerable SAP applications can be compromised by a remote unauthenticated attacker having only network access to the system (without the need for a valid SAP user ID and password). Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down. Order-to-Cash, Procure-to-Pay, Inventory Management, Treasury, Tax, HR & Payroll, and any other business process handled by SAP, can be controlled, affecting the integrity of business information used to build the financial statements. A person abusing this vulnerability would be able to perform critical business transactions, including but not limited to:

• Creating fake vendors
• Creating fake employees
• Creating/modifying purchase orders
• Changing bank accounts
• Paying any vendor or employee
• Releasing shipments
• Changing inventory data
• Generating corrupted management reports
• Bypassing automatic business controls

A person performing any kind of fraud would be able to delete any traces or records that prove his or her actions and an action of this kind may not be detected.

This is a question executive management has to discuss with the Board and the independent auditor. If the risk is present in your organization, you should assess its materiality, likelihood of occurrence, and ability of detection with them. Ultimately, it will be up to the independent auditor to include 10KBLAZE as a risk to the integrity of the financial statements. Onapsis can only provide expert advice and support to management and auditors.

Management should be aware of this risk, starting with the CISO and CIO up to the CFO and CEO. Additionally, as a source of independent assurance, your internal audit team, and the head of Compliance and Audit should assess this risk from a business perspective to become advocates and present it to the Audit Committee as well.

SAP organizations can protect themselves by applying the below SAP Security Notes which contain mitigation steps for this vulnerability (requires SAP login):

• SAP Security Note #821875
• SAP Security Note #1408081
• SAP Security Note #1421005

Unfortunately these misconfigurations are not detected by SAP GRC or SoD controls. Organizations will need to manually check for this or use an automated solution.

Unfortunately these misconfigurations are not under the general scope of IT General Controls. Even in a scenario where IT General Controls have a satisfactory state in your SAP ERP application, the presence of this risk would equal to the combination of several ITGC (IT General Controls) deficiencies. Based on our experience, the 10KBLAZE associated risks are usually not included in traditional audits. We encourage internal and external auditors to include the risk assessment of 10KBLAZE as part of your IT General Control audits for SAP systems.

The Onapsis Security Platform is able to detect active exploitation of these vulnerabilities in SAP systems. If you are concerned that these vulnerabilities may have been targeted in your environment, please contact Onapsis for more details.

Due to the criticality of the risk posed by 10KBLAZE and insights from our threat intelligence capabilities, Onapsis decided to open-source components of its Onapsis Security Platform and make intrusion detection signatures immediately and freely available to all SAP customers. Further, Onapsis has coordinated a global response with international government authorities, global SAP service providers and leading cyber threat detection and incident response firms to enable detection, monitoring, and remediation of affected organizations globally.

Adding detection signatures to firewall solutions is important; however, your organization and systems will not be completely secure until you properly apply the related SAP Security Notes.

Onapsis has no evidence of these vulnerabilities being exploited in the wild to date, but based on our field experience with customers, partners and prospects, we can confirm that 90% of misconfigured SAP implementations are vulnerable to 10KBLAZE exploits. In fact, as most organizations are not able to detect the exploitation of this misconfiguration, a system compromise may go undetected.