Q&A With Onapsis CTO JP Perez-Etchegoyen: Recent Active SAP Exploitation Activity

CTO JP Perez-Etchegoyen recently sat down with SAP CISO, Richard Puckett and CISA Vulnerability Disclosure Analyst, Stephanie Kennelley for a session on the latest developments in the threat landscape for SAP business applications, including active exploitation activity against three existing and previously patched SAP vulnerabilities. Etchegoyen answers six questions around this recent exploitation activity and shares next steps organizations can take to protect their business-critical applications.

Watch Now: Active SAP Exploitation Activity Identified by the Onapsis Research Labs

1. What is the current threat landscape for business applications like?

Business applications like SAP are being exploited more and more frequently. The increasing complexity and size of application environments, customization of individual apps, and growing backlogs of patches have left organizations with a larger number and greater variety of vulnerabilities to identify, understand, and act on. The exposure and risk of exploitation at the application layer is also greater now due to digital transformation initiatives, with many critical applications moving to the cloud, connecting to third-parties, or becoming publicly accessible. 

The level of sophistication in cyber attacks is increasing and threat actors are now able to narrowly and successfully target the applications that businesses use to run their everyday operations. There have been six notifications from CISA, including Technical Alerts specifically about business-critical applications since 2016 and two on SAP security risk. From mid-2020 until April 2021, Onapsis Research Labs recorded more than 400 successful exploit attempts on unprotected SAP applications. Our team found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available. These advanced threat actors were observed  patching the vulnerabilities they exploited and reconfiguring systems in order to go undetected by SAP administrators. 

2. What vulnerabilities did Onapsis Research Labs observe being exploited by threat actors?

Onapsis Research Labs continuously monitors the evolving threat landscape in order to better understand what is being used to target business applications like SAP. In addition to other vulnerabilities being actively exploited, our recent research has detected exploitation activity related to three vulnerabilities that were already patched by SAP – CVE-2021-38163, CVE-2016-2386, and CVE-2016-2388. Two out of three of these CVEs have critical CVSS ratings, most of these CVEs have publicly available PoCs and exploits and most of these CVEs are remotely exploitable and through HTTP(s) protocols. Notably, CISA has updated this Catalog of Known Exploited Vulnerabilities with these three vulnerabilities.

3. How can my organization leverage CISA’s Catalog of Known Exploited Vulnerabilities (KEV)?

CISA’s Catalog of Known Exploited Vulnerabilities was created on November 3, 2021 and maintains a list of known exploited vulnerabilities that carry significant risk to the federal enterprise and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog. Organizations should use the KEV to increase their security and resilience posture by prioritizing remediation of these vulnerabilities. Organizations can use the KEV catalog as an input to their vulnerability management prioritization framework. CISA also recommends that organizations use automated vulnerability and patch management tools that automatically incorporate and flag or prioritize KEV vulnerabilities.

4. What next steps should my organization take?

Ensure none of the vulnerabilities highlighted in the CISA’s Catalog of Known Exploited Vulnerabilities are present in your landscape. This is especially important for Internet-Facing SAP Systems. Start with the most recently added to the KEV

  • For CVE-2021-38163, refer to SAP Security Note 3084487: Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT). This vulnerability has a CVSS Base Score of 9.9 and allows an attacker to upload a webshell on the target SAP System.
  • For CVE-2016-2386, refer to SAP Security Note 2101079: SAP Netweaver Application Server Java UDDI SQLI. This has a CVSS Base Score of 9.8 and allows an attacker to execute arbitrary commands on the database
  • For CVE-2016-2388, refer to SAP Security Note 2256846: SAP Netweaver AS JAVA Information Disclosure. This has a CVSS Base Score: 5.3 and allows an attacker to list valid users of the system 

5. Why is it important to secure my SAP applications?

Knowing that the threat landscape is growing, attackers are getting smarter, and specifically targeting these applications, there are three key reasons why business-critical applications cannot be overlooked within organizations’ cybersecurity practices. The problem is traditional cybersecurity programs don’t sufficiently cover the application layer. They are ineffective at understanding the size and scope of risk within these applications, don’t have continuous monitoring or visibility for the SOC, and often have to rely on manual code reviews.

Below are a few examples of the impact of leaving business-critical applications unprotected: 

  • 74% of breaches involved access to a privileged account1
  • The average cost of ERP application downtime is over $50,000/hour2
  • The average yearly cost of fines and penalties due to non-compliance is $2 million3
  • Stock price decreases an average of 7.3% following a security breach4

6. How can The Onapsis Platform help protect my SAP applications?

  • Onapsis Assess for Vulnerability Management: Onapsis Assess provides focused and comprehensive vulnerability management for business-critical applications, enabling organizations to respond faster and smarter to issues that pose the greatest risk to the business.
  • Onapsis Control for Application Security Testing: Onapsis Control provides automated application security testing for SAP applications and automatic remediation for common code errors, enabling organizations to build security into development processes to find and fix issues as quickly as possible.
  • Onapsis Defend for Threat Detection and Response: Onapsis Defend enables continuous threat monitoring, detection, and response for business-critical applications whether hosted in the cloud, hybrid or on-premises environments.

Watch the threat intel briefing or contact an expert for more information.

1 https://www.centrify.com/resources/industry-research/pam-survey/

2 https://onapsis.com/IDC-survey-ERP-security-assessment 
3 https://www.ascentregtech.com/compliance/the-not-so-hidden-costs-of-compliance
4 https://www.forbes.com/sites/sergeiklebnikov/2019/11/06/companies-with-security-fails-dont-see-their-stocks-drop-as-much-according-to-report/?sh=e375b0a62e04