Onapsis recently released a threat report where we found evidence of active and widespread threat activity exploiting and compromising unprotected SAP applications in the wild. Based on the observed threats and typical customer configurations, we believe a large number of SAP customers may have been and continue to be targeted by these actors, especially but not limited to customers with internet-facing SAP applications.
During our recent webinar covering our threat report, we received a lot of great questions from attendees. In this post, we are going to address some of the questions that were asked in the live session:
How do we know if we were attacked or compromised?
We have Indicators of Compromise (IoCs) in our report to identify possible historical activity (these should not be taken as definitive IOCs). Onapsis has developed and released updated open source tools to assess at-risk SAP applications for vulnerabilities and Indicators of Compromise—helping to support defenders of these efforts within the community. These tools are available to download for free at the Onapsis GitHub repository at https://github.com/Onapsis. We can also perform complimentary rapid assessment to help identify your most critical and at-risk SAP applications, evaluate exposure against observed attacks and investigate your SAP applications for signs of compromise free of charge. Upon completion, we will provide you with a rapid assessment report that you can share with your executive leadership.
I applied the patches. What do I do next?
While the patching component is important, it is only one part of the equation. It is also important to think about the security configuration component and to verify that the risk is actually mitigated. If the patch was applied weeks after a patch release, there is an opportunity for a threat actor to compromise the health of the system. It is important to know when the patches and mitigations were done and, if you are missing any of these patches, you should do a thorough review. During your review of your SAP infrastructure, if you find you don’t have alert visibility coming into a SIEM or an alert platform, you should consider getting a solution so you can see those platforms and their vulnerabilities.
My SAP security team realized they are missing some of the patches they are applying now. Do we need to do anything else?
If you are only applying these patches now, we would recommend having an internal security team review these systems even before the patches are deployed. When you patch systems and reboot/restart them, that can actually destroy evidence of exploitation through the patching process. Given the length of time, we recommend that you look at the systems and take advantage our complimentary rapid assessment. It is also important to take a look at what can be improved with your process so you’re not in the same place next month.
Does this affect our SAP solutions in the cloud?
If you are talking about cloud SaaS solutions like SuccessFactors, no. If you’re talking about deploying SAP applications in the cloud IaaS model like Azure, Google Cloud or any other hosted environment, then yes, it is your part of “shared responsibility” to apply the security configurations. It doesn't affect anything that is SaaS from SAP. We encourage you to look into those systems, whether it is your responsibility or your service provider’s.
How many of the 300+ confirmed exploitations are based on Java or SolMan?
The majority of confirmed exploitations were directly related to SolMan and Java NetWeaver based systems.
How many of the external attacks systems are exposed to the internet vs. internal ones?
Our threat intelligence project was by design looking at internet-facing environments.
Some companies have let their support expire on older SAP systems. What advice do you provide for these aging systems that are mission-critical and cannot be updated and still need to perform critical functions?
There is a dichotomy of it being end of life or out of support, but still performing mission-critical functions. The first conversation you need to have is with your own leadership, because if there is a lapse in support or version, it needs immediate attention. A first step would be to re-establish a service contract and see what migrations are supplied by a client’s cloud counterpart. SAP Rise can help you migrate to the cloud and, with Onapsis’s Rapid Assessment, you can assess the risk posture of these older legacy systems.
What if my company does not have any public SAP applications?
Attackers know how to get inside the network, regardless of if it is private or public. Most organizations have environments with service providers and VPNs. The most important thing is to ensure you don't have unintended systems connected online that you didn't know about. Threat actors have clever ways to gain initial access to environments so you have to be vigilant about the layers of defense that might sit in front of your SAP infrastructure. You should also review your SAP infrastructure for a higher level of assurance.