- Threat actors are targeting SAP applications through scanning, exploiting and compromising systems vulnerable to RECON
- It is expected that most unpatched internet-facing SAP applications have been already exploited and potentially compromised. Act now!
Shortly after the RECON vulnerability (CVE-2020-6287) was made public, diverse actors started leveraging the vulnerability to exploit and compromise systems. In this post, we will describe how different entities are leveraging exploits (public and private) to probe and gain unauthorized access to unpatched SAP applications.
Public Exploits for RECON (CVE-2020-6287)
On July 14th, SAP released SAP Note #2934135, “Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)”, addressing CVE-2020-6287, the RECON vulnerability reported by Onapsis. Shortly after, on July 17th the first public PoC code was published in GitHub as a module for the Metasploit Framework, however, this initial PoC only had the capabilities to detect potentially vulnerable systems and create a user without Administrator rights, meaning its effectiveness was somewhat limited.
Days later, on July 20th, another PoC script was published to GitHub with a significant difference, it could run in a standalone format. As it was written in Python and was independent of any framework, this feature could be leveraged to quickly develop automated scripts taking input data from other services like internet search engines.
After that, other scripts and updates were released on the topic of RECON PoCs, which resulted in the vulnerability becoming fully weaponized.
Exploitation of the RECON Vulnerability in the Wild
Onapsis has been deploying sensors over the internet, with the purpose of understanding how RECON (and other vulnerabilities) are being tested and potentially abused. By closely watching the activity on these sensors around the world, it was possible to see a massive amount of automated scanning and exploitation attempts that will be described later in this article.
Based on the activity seen over the internet, Onapsis has determined that there are several individuals/groups scanning and exploiting this vulnerability on internet-facing SAP systems, performing the following activities:
- Automated scanning of the RECON vulnerability
- Automated exploitation of the RECON vulnerability
Let's address each one of these activities individually:
Since the deployment of the specific RECON-focused sensors, it was possible to identify 1000's of probes for the vulnerability, with diverse parameters (requests, HTTP Methods, HTTP headers). The following graph illustrates the historical evolution of the attempts to detect the vulnerability of publicly-available systems.
The sources of these probes are also diverse, coming from North and South America, Europe and Asia.
Onapsis was able to identify the usage of the different type of exploits (combination of publicly-available exploits and variations of them) due to certain differences between them such as the naming convention of the users created, the URL or the HTTP headers used in the execution of the different exploits.
In this case, similarly to testing for the vulnerability, the sources of the execution of these exploits is diverse with the same geographical regions represented (North and South America, Europe and Asia) and approximately 10 different countries.
There is increasing activity around the RECON vulnerability from a scanning and exploitation perspective. The time it took from the security patch public announcement to the development of an automated exploit was extremely short and this will continue to reduce for upcoming vulnerabilities. This exploitation activity reached virtually every SAP NetWeaver AS JAVA system exposed to the internet, potentially exploiting and compromising a large portion of them.
This significantly large amount of activity and exploitation over the internet is a proof of the interest on this critical vulnerability and the rapid development of exploits when such a critical vulnerability is disclosed to the public.
This should also reflect the importance of addressing security holistically which should include applying the SAP Notes and patches across SAP landscapes, as well as securing these critical systems overall.
The RECON Vulnerability Content Series
In July, SAP issued patches for the RECON vulnerability after being identified and disclosed to SAP by the Onapsis Research Labs. Because of its severity and the amount of internet-exposed SAP systems potentially vulnerable, the DHS-CISA, along with many other global organizations, issued CERT Alerts warning organizations of the criticality of the RECON vulnerability. Both SAP and Onapsis urged organizations using SAP applications to apply the patches immediately. In the days following the release of the patches for RECON, the Onapsis Research Labs and other security/threat intelligence organizations and researchers witnessed and reported rapid threat activity including scanning for vulnerable systems and ultimately weaponized exploit code posted publicly. This content is part of a coordinated effort with threat intelligence experts, researchers and organizations to provide further insight, intelligence and actions you should take to ensure your organization is protected from the RECON vulnerability.
Links to each part of this blog series can be found below:
- Part 1: The Vulnerability @Onapsis Blog
- Part 2: The Mitigations @SAP Community Network
- Part 3: Relevance to the Cloud @Cloud Security Alliance
- Part 4: Threat Intelligence @DigitalShadows
- Part 5: Active Scanning @Stratosphere Labs
- Part 6: Tools Techniques and Procedures @BlueLiv
- Part 7: Active Exploitation @Onapsis Research Labs
- Part 8: Compliance @The Institute of Internal Auditors
- Part 9: Data Privacy @Radical Compliance
- Part 10: Programmatic Approach @Linkedin