Active Cyberattacks on Mission-Critical SAP Applications
SAP and Onapsis partner to release new threat intelligence on active threats
Defend your Mission-Critical SAP Applications from Active Threats
On April 6, Onapsis and SAP released a new threat intelligence report to help SAP customers protect from active cyber threats seeking to specifically target, identify and compromise organizations running unprotected SAP applications, through a variety of cyberattack vectors. SAP and Onapsis strongly advise organizations to take immediate action including swift application of the relevant SAP security patches and a thorough review of security configurations of their SAP landscapes, as well as performing a compromise assessment and forensic investigation of at-risk environments.
The U.S. Department of Homeland Security’s CISA and Germany’s Federal Office for Information Security (BSI) have also developed and released alerts and notifications on this matter.
SAP promptly patched all of the critical vulnerabilities observed being exploited, and have made them available to customers for months, and years in some cases. Unfortunately, SAP and Onapsis continue to observe many organizations that have still not applied the relevant mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.
We highly encourage you to download the threat report to assess if you are at risk, and which actions to take immediately to protect your business. This report also details the specific techniques, tools and procedures (TTPs) observed by our experts, empowering defenders to respond to this activity as quickly as possible.
Some of the key findings in this threat intelligence report include:
- Threat actors are active, capable and widespread
Evidence of 300+ automated exploitations leveraging seven SAP-specific attack vectors and 100+ hands-on-keyboard sessions from a wide range of threat actors. Clear evidence of sophisticated domain knowledge, including the implementation of SAP patches post-compromise.
- The window for defenders is small
Critical SAP vulnerabilities being weaponized in less than 72 hours of a patch release and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.
- Threats have both security and compliance impact
Exploitation would lead to full control of unsecured SAP applications, bypassing common security and compliance controls, enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations. Threats may also have significant regulatory compliance implications, including SOX, GDPR, CCPA and others.