Threat ReportThe Tip Of The Iceberg: Wild Exploitation & Cyberattacks On SAP Business Applications

A1: The vulnerability has been patched over five years ago, so hopefully your systems are not exposed. However, due to the risk of insecure configurations and custom applications, you should review whether you have applied the security patches (SAP Security Notes) and refer to the instructions detailed in the mitigation section of the threat report.

A2: The exploitation of this vulnerability gives remote unauthenticated attackers full access to the affected SAP platforms, providing them with complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems.

A3: The following list includes some of the SAP business solutions and technical components that may be affected if their underlying SAP Java platforms have not been properly secured:

• SAP Enterprise Resource Planning (ERP)
• SAP Product Life-cycle Management (PLM)
• SAP Customer Relationship Management (CRM)
• SAP Supply Chain Management (SCM)
• SAP Supplier Relationship Management (SRM)
• SAP Enterprise Portal (EP)
• SAP Process Integration (PI)
• SAP Exchange Infrastructure (XI)
• SAP Solution Manager (SolMan)
• SAP NetWeaver Business Warehouse (BW)
• SAP Business Intelligence (BI)
• SAP NetWeaver Mobile Infrastructure (MI)
• SAP NetWeaver Development Infrastructure (NWDI)
• SAP Central Process Scheduling (CPS)
• SAP NetWeaver Composition Environment (CE)
• SAP NetWeaver Enterprise Search
• SAP NetWeaver Identity Management (IdM)
• SAP Governance, Risk & Control 5.x (GRC)

A4: Depending on the business solution used and deployment model (see question above), these vulnerabilities may be affecting SAP systems regardless if they are running on private, public or hybrid cloud environments.

A5: The exploitation of the SAP systems of at least 36 global organizations was publicly disclosed during 2013-2016 at a digital forum registered in China. In early 2016, we became aware of this issue after we noticed common similarities within the results of initial Onapsis Security Platform scans at SAP customers, together with indicators of compromise found at SAP forensics & incident response engagements. The Onapsis Research Labs decided to dig deeper into this topic and realized that public information about these exploitations had been sitting in the public domain for several years. As our research indicates, companies could be actively being exploited. We feel that it is our responsibility to notify SAP customers that may be exposed to this vulnerability. We also believe it is critical for the broader information security community to be aware of business application security risks, as this situation clearly illustrates the prevailing lack of visibility and governance over these type of applications.

A6: The core vulnerability being exploited has been identified as the Invoker Servlet vulnerability which was patched by SAP in 2010. This is being leveraged in tandem with a sensitive SAP Java application to remotely gain full administrative access to the SAP systems. Exploits can take advantage of this vulnerability over HTTP(S) and without the need to have a valid SAP user in the target system. In order to exploit this vulnerability, an attacker only needs a Web browser and the domain/hostname/IP address of the target SAP system.

A7: While several threat reports disclose security incidents as the result of nation-state sponsored cyber campaigns, in this case, the reality (and what we believe make this research even more interesting) is that these indicators had been silently sitting in the public domain for several years (at a digital forum registered in China).

Therefore, we don’t have any reason to correlate this activity with any government, nation-state or a coordinated cyber-criminal group effort. It is important to stress that the location of the forum should not be used by anyone with attribution or intent behind these indicators. This is not a Mandiant APT1-type report.

At the same time, we know for a fact this is just the tip of the iceberg in terms of cybersecurity threats to SAP systems.

A8: The DHS sent out an alert on this specific issue as public indicators of unauthorized exploitation have been recently discovered for this vulnerability. By no means does this mean that this is the only vulnerability out there to potentially affect SAP systems, nor does it mean it is the most critical.

Information security teams must be aware that SAP has released over 3,000 security patches (SAP Security Notes) to date, issuing ~30 security patches per month. Each security patch provides mitigation information for one or more vulnerabilities. If your organization does not currently have a well-defined process in place to manage on-going mitigation, other vulnerabilities may be affecting your platform.

Based on Onapsis’ experience engaging with large SAP customers, we often find existing vulnerabilities within systems despite being patched by SAP as far back as 10 years ago. This is very common in a vast majority of the implementations we’ve seen, and provides both insiders and remote attackers with a wide-open door into the heart of large enterprises. Our team has also been engaged in a number of SAP forensics & incidents response projects which resulted from real-world SAP application breaches and leveraged attack vectors other than the one presented in this threat report.

A9: The forum where these indicators were discovered contains information that clearly identifies the names of affected companies, the specific SAP systems (IP addresses/domain names) that were found to be affected by this vulnerability, as well as confidential technical information resulting from the exploitation of the vulnerabilities.

Therefore, we cannot publicly share further information about this forum, as we believe it will be irresponsible and contrary to our ethical standards.

A10: We discovered indicators affecting 36 global enterprises. These enterprises are located in, or are co-owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, and span a number of industries including oil & gas, telecommunications, utilities, retail, automotive and steel manufacturing. We will not share the names of the companies affected. We worked in collaboration with the U.S. Department of Homeland Security (DHS) and relevant authorities to make sure affected companies were notified in advance. On May 11th 2016, DHS US-CERT issued an Alert to forewarn the cybersecurity community about the significance and implications of this vulnerability.

A11: Certainly. This is just the tip of the iceberg.

Based on our experience helping secure some of the world’s largest SAP implementations, we believe that many more organizations (other than the 36 included in this report) may be affected by this threat.

However, performing this kind of conclusive assessment would have required us to perform unauthorized scans over organizations’ internet-facing SAP systems, and that is something Onapsis has never done or will do, as it goes against our ethics.

A12: In 2010, SAP released a security patch to address this and related vulnerabilities. Software will always have security vulnerabilities, the most a vendor can do once an issue is discovered is to release a security patch quickly. In this specific case, SAP made a patch available more than 5 years ago. Therefore, this news illustrates that it is not an SAP problem, but a reigning lack of visibility, governance and control over cybersecurity risks that is affecting SAP platforms once they are installed and running. This is a responsibility that falls on SAP customers’ information security teams, service providers and external audit firms.

A14: Traditional audits do not typically look into these types of risks. We anticipate external audit firms will extend their current controls (which are mostly related to Segregation of Duties) to address SAP cyber security risks in the near future. The status-quo is clearly not sustainable, as these risks can be exploited to modify financial information, steal sensitive data and disrupt business-critical processes. We highly recommend organizations to evaluate their internal audit process to ensure they are incorporating these newer type of controls to manage business risk appropriately in advance of this happening.

A15: If you have never analyzed the cyber security level of your SAP applications, the first logical step is to understand what your current situation is and to understand the potential business risks. We can assist by performing a complementary Business Risk Illustration service at your organization.

Additionally, implementing a solution that provides continuous monitoring will ensure that your SAP system are always protected against vulnerabilities such as the Invoker Servlet. In this case, our customers have had the relevant capabilities to address this issue since 2010. The Onapsis Security Platform delivers a near real-time preventative, detective and corrective approach for securing SAP systems and applications. You can learn more here.