New Threat Intelligence: Threat Actors Targeting SAP for Profit

Executive Perspective with Mariano Nunez

Questions CIOs & CISOs Should Be Asking

With over 400,000 customers globally, including 99 of the 100 largest companies in the world, SAP is a foundational technology of the world’s digital economy. In fact, SAP customers are responsible for 87% of total global commerce–amounting to $46 trillion.  Due to the fact that these applications hold tremendous value–both in terms of their data and critical business processes–cybercriminals have increasingly set their sights on taking advantage of vulnerabilities. 

We have just released new research conducted by Onapsis Research Labs in collaboration with Flashpoint, which has unveiled concerning trends: a 400% increase in ransomware incidents that involved compromising SAP systems and data at victim’s organizations, a 490% growth in cybercriminal forum conversations on SAP vulnerabilities and exploits, a 400% increase in the price brokers are willing to pay for exploits compromising SAP, and more. The facts are clear: unprotected cloud, hybrid and on-premise SAP applications are being attacked by malicious threat actors for data theft, financial fraud and – increasingly – ransomware. 

In many conversations that I have had across the industry, leaders are compelled to act only after an incident has occurred. Here is the good news–the cycle can be broken. Here are a few questions that can empower you or the leaders on your team to take charge of your SAP cyber resilience and harden your applications against threats:

Who is targeting SAP?

Well known threat actor groups such as FIN13, Cobalt Spider, APT10 and FIN7  have been actively exploiting SAP vulnerabilities, compromising unprotected systems, and including its data as part of ransomware attacks. While SAP and Onapsis have been proactively warning organizations of the increased risk of malicious activity and ransomware threats targeting SAP applications for years, still some companies have not improved their security postures accordingly.  

This research highlights that the threat is active and it is escalating

How is SAP being targeted?

As organizations move SAP applications to the cloud through digital transformations to unlock business value, the unfortunate side-effect is increased exposure to malicious parties. The evidence shows that threat actors have evolved their capabilities to compromise unprotected SAP systems by exploiting application-level gaps, such as misconfigurations and missing security patches, targeting both cloud and on-premise environments.  

SAP released secure configurations and patches for the observed vulnerabilities being exploited by threat actors years ago.  However, this new intelligence indicates attackers are exploiting gaps in governance and improper hardening of cloud and on-premise SAP applications to perform data theft, financial fraud and disruptive attacks including ransomware. 

Ransomware and double-extortion incidents (i.e. threat actors both encrypting and exfiltrating victims’ data) affecting SAP applications, and the observation by CISA and Onapsis of threat actors leveraging unpatched SAP application-level vulnerabilities in ransomware campaigns are of particular importance. For numerous large organizations where SAP is a business-critical asset and one of their organizational “crown jewels,” a successful SAP ransomware attack would have an operational and financial impact of millions of dollars per hour or day. 

In addition, with the new US Securities and Exchange Commission (SEC) cybersecurity rules that went into effect in December 2023, an SAP ransomware attack would most likely represent a “material’ cybersecurity incident subject to disclosure via SEC Form 8-K within four days of determination of materiality. Preventing, rapidly detecting, and containing SAP compromises to avoid material impact has never been more important.

How can I protect myself?

In the face of this perfect cybersecurity storm affecting SAP applications, most organizations have started to evolve their cybersecurity and compliance programs to incorporate SAP systems into vulnerability management, continuous threat monitoring, and DevSecOps. This has never been more critical to understand and get right.

Where do you start? It all begins with understanding the current maturity level of your organization in this domain. Here are some questions to ask your SAP and Information Security teams:

  • What is the cost of an SAP ransomware attack for our business? For many enterprises, this cost can often be millions of dollars per hour or day.
  • How are we protecting SAP applications beyond access controls (user roles and authorizations)? 
  • Do we have complete visibility of our SAP landscape in the Security Operations Center?
  • How are we ensuring efficient SAP patching processes? What is our SLA? Are we missing critical SAP patches released years ago?
  • How are we empowering our teams with SAP-specific threat intelligence?
  • Do we have zero-day, pre-patch SAP attack protection?

If you notice that the protection of the SAP crown jewels is not on par with your cybersecurity and compliance programs, it is important to take action and start by covering the basics. Our team of experts can help guide you through this process. 

How can I learn more?

Download the report to review the full threat intelligence and key recommendations from Onapsis about how to ensure your organization is prepared and prioritizing protection of SAP applications.

We will also be hosting a webinar on April 24 to review these findings and answer questions around our research and what it means for your teams. Register here.