With the escalating armed invasion of Ukraine by the Russian Federation, Onapsis expects the risk of cybersecurity incidents to increase, with business-critical applications seen as potential prime targets for destructive or disruptive attacks. As seen with prior armed escalations over the past 5-10 years, this elevated security risk is a result of both (1) direct attacks against organizations, companies, and persons aligned with or viewed as supporting Ukraine and (2) indirect spillover to others from these direct attacks.
Consequently, the Onapsis Research Labs advise extra vigilance during this time. Please take extra steps to ensure that your organization and your business-critical applications are protected and resilient.
The Onapsis Research Labs offers five courses of action you can take right now:
- Reduce The Window of Vulnerability: Increase your vulnerability scanning frequency to reduce the time between point-in-time discoveries of unidentified vulnerabilities potentially present in your landscape.
- Prioritize Remediation of Critical and High Vulnerabilities: There’s no time like the present to accelerate your patch management process, especially for those prioritized critical and high vulnerabilities in SAP. This includes the most recent ICMAD vulnerabilities which can potentially lead to unauthenticated, remote full system takeover. Internet-facing systems should receive the highest priority. (Please note that Onapsis published a free scanning tool to help the SAP community find systems that are vulnerable to ICMAD. Download it here.)
- Continuously Monitor Your Critical and Connected Systems: Consider enabling continuous monitoring in Onapsis Defend for all critical systems. This includes monitoring those SAP systems viewed as ancillary but are connected to your most critical systems. Past research points to threat actors directly targeting the most vulnerable systems.
- Ensure the SOC Has Full Visibility: Connect and validate that Onapsis Defend is sending relevant alarms directly to your XDR, SIEM, etc. Equally important, ensure your security runbooks (and business continuity / disaster recovery plans) document appropriate incident response for business-critical SAP systems.
- Prepare All of Your Employees: Prior research demonstrated that 74% of breaches were a result of access to privileged accounts. During volatile times such as this, expect an increase in phishing attacks by threat actor groups who have either chosen a side in the conflict or are simply looking to capitalize on the chaos (e.g., phishing under the guise of humanitarian aid). Ensure that all your employees are hyper vigilant to these types of threats, and use Onapsis Defend to continuously monitor access to your critical SAP systems.
All of us at Onapsis are here for you and your teams during these challenging and stressful times. Over the coming days, the Onapsis Research Labs will continue to monitor this rapidly evolving situation, and we’ll provide updates and additional information as needed. If you have any questions, need more specific guidance, or any additional support, don’t hesitate to reach out to one of our experts for assistance.
Additional Useful Resources:
- US-CISA “Shields Up”: CISA hub on protecting your organization
- US-CISA Alert AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
- US-CISA Alert AA22-047A: Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology
- US-CISA Joint Advisory on Russian GRU Activities
- US-CISA Resource: Cyber Resilience Review (CRR) Tool