The Tip Of The Iceberg:
Wild Exploitation & Cyberattacks On SAP Business Applications
Understanding the DHS US-CERT Alert on SAP Cybersecurity
On May 11, 2016, the first-ever US-CERT Alert for cybersecurity of SAP business applications was released by the Department of Homeland Security (DHS) to forewarn the cybersecurity community about the significance and implications of an SAP vulnerability, which was patched by SAP over five years ago, that is being leveraged to exploit SAP systems of many large-scale global enterprises. Below are some resources to help you better understand this vulnerability, the potential impact to an organization if it is exploited, as well as the mitigation steps to ensure your organization is not at risk.Download the Threat Report
about the CERT warning for SAP Systems
Q1: How do I know If I am affected by the described vulnerability? How can I protect myself from this?
A1: The vulnerability has been patched over five years ago, so hopefully your systems are not exposed. However, due to the risk of insecure configurations and custom applications, you should review whether you have applied the security patches (SAP Security Notes) and refer to the instructions detailed in the mitigation section of the threat report.
Q2: What is the risk to my business?
A2: The exploitation of this vulnerability gives remote unauthenticated attackers full access to the affected SAP platforms, providing them with complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems.
Q3: Which SAP business solutions and components may be affected?
A3: The following list includes some of the SAP business solutions and technical components that may be affected if their underlying SAP Java platforms have not been properly secured:
- SAP Enterprise Resource Planning (ERP)
- SAP Product Life-cycle Management (PLM)
- SAP Customer Relationship Management (CRM)
- SAP Supply Chain Management (SCM)
- SAP Supplier Relationship Management (SRM)
- SAP Enterprise Portal (EP)
- SAP Process Integration (PI)
- SAP Exchange Infrastructure (XI)
- SAP Solution Manager (SolMan)
- SAP NetWeaver Business Warehouse (BW)
- SAP Business Intelligence (BI)
- SAP NetWeaver Mobile Infrastructure (MI)
- SAP NetWeaver Development Infrastructure (NWDI)
- SAP Central Process Scheduling (CPS)
- SAP NetWeaver Composition Environment (CE)
- SAP NetWeaver Enterprise Search
- SAP NetWeaver Identity Management (IdM)
- SAP Governance, Risk & Control 5.x (GRC)
Q4: Is my SAP Cloud platform affected?
A4: Depending on the business solution used and deployment model (see question above), these vulnerabilities may be affecting SAP systems regardless if they are running on private, public or hybrid cloud environments.
Q5: What is the nature of this threat report? Why are you publishing this?
A5: The exploitation of the SAP systems of at least 36 global organizations was publicly disclosed during 2013-2016 at a digital forum registered in China. In early 2016, we became aware of this issue after we noticed common similarities within the results of initial Onapsis Security Platform scans at SAP customers, together with indicators of compromise found at SAP forensics & incident response engagements. The Onapsis Research Labs decided to dig deeper into this topic and realized that public information about these exploitations had been sitting in the public domain for several years. As our research indicates, companies could be actively being exploited. We feel that it is our responsibility to notify SAP customers that may be exposed to this vulnerability. We also believe it is critical for the broader information security community to be aware of business application security risks, as this situation clearly illustrates the prevailing lack of visibility and governance over these type of applications.
Q6: The attack vector; How are organizations specifically being exploited?
A6: The core vulnerability being exploited has been identified as the Invoker Servlet vulnerability which was patched by SAP in 2010. This is being leveraged in tandem with a sensitive SAP Java application to remotely gain full administrative access to the SAP systems. Exploits can take advantage of this vulnerability over HTTP(S) and without the need to have a valid SAP user in the target system. In order to exploit this vulnerability, an attacker only needs a Web browser and the domain/hostname/IP address of the target SAP system.
Q7: Who is exploiting this? Is it a Nation-state cyber attack operation?
A7: While several threat reports disclose security incidents as the result of nation-state sponsored cyber campaigns, in this case, the reality (and what we believe make this research even more interesting) is that these indicators had been silently sitting in the public domain for several years (at a digital forum registered in China).
Therefore, we don’t have any reason to correlate this activity with any government, nation-state or a coordinated cyber-criminal group effort. It is important to stress that the location of the forum should not be used by anyone with attribution or intent behind these indicators. This is not a Mandiant APT1-type report.
At the same time, we know for a fact this is just the tip of the iceberg in terms of cybersecurity threats to SAP systems.
Q8: Why did the DHS send out an alert on this specific SAP vulnerability? Is it the only one I should worry about?
A8: The DHS sent out an alert on this specific issue as public indicators of unauthorized exploitation have been recently discovered for this vulnerability. By no means does this mean that this is the only vulnerability out there to potentially affect SAP systems, nor does it mean it is the most critical.
Information security teams must be aware that SAP has released over 3,000 security patches (SAP Security Notes) to date, issuing ~30 security patches per month. Each security patch provides mitigation information for one or more vulnerabilities. If your organization does not currently have a well-defined process in place to manage on-going mitigation, other vulnerabilities may be affecting your platform.
Based on Onapsis' experience engaging with large SAP customers, we often find existing vulnerabilities within systems despite being patched by SAP as far back as 10 years ago. This is very common in a vast majority of the implementations we’ve seen, and provides both insiders and remote attackers with a wide-open door into the heart of large enterprises. Our team has also been engaged in a number of SAP forensics & incidents response projects which resulted from real-world SAP application breaches and leveraged attack vectors other than the one presented in this threat report.
Q9: Can you share more information on where the indicators were found?
A9: The forum where these indicators were discovered contains information that clearly identifies the names of affected companies, the specific SAP systems (IP addresses/domain names) that were found to be affected by this vulnerability, as well as confidential technical information resulting from the exploitation of the vulnerabilities.
Therefore, we cannot publicly share further information about this forum, as we believe it will be irresponsible and contrary to our ethical standards.
Q10: Which companies were exploited? Have you notified them?
A10: We discovered indicators affecting 36 global enterprises. These enterprises are located in, or are co-owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, and span a number of industries including oil & gas, telecommunications, utilities, retail, automotive and steel manufacturing. We will not share the names of the companies affected. We worked in collaboration with the U.S. Department of Homeland Security (DHS) and relevant authorities to make sure affected companies were notified in advance. On May 11th 2016, DHS US-CERT issued an Alert to forewarn the cybersecurity community about the significance and implications of this vulnerability.
Q11: Could there be more companies affected beyond the 36 referred to in the threat report?
A11: Certainly. This is just the tip of the iceberg.
Based on our experience helping secure some of the world’s largest SAP implementations, we believe that many more organizations (other than the 36 included in this report) may be affected by this threat.
However, performing this kind of conclusive assessment would have required us to perform unauthorized scans over organizations' internet-facing SAP systems, and that is something Onapsis has never done or will do, as it goes against our ethics.
Q12: What has SAP done to increase awareness of this vulnerability?
A12: In 2010, SAP released a security patch to address this and related vulnerabilities. Software will always have security vulnerabilities, the most a vendor can do once an issue is discovered is to release a security patch quickly. In this specific case, SAP made a patch available more than 5 years ago. Therefore, this news illustrates that it is not an SAP problem, but a reigning lack of visibility, governance and control over cybersecurity risks that is affecting SAP platforms once they are installed and running. This is a responsibility that falls on SAP customers' information security teams, service providers and external audit firms.
Q13: Will my SIEM, NGFW, WAF, IDS/IPS, VM solutions help me detect/block this attack?
A13: While SIEM, NGFW, WAF, IDS/IPS and Vulnerability Management vendors may be able to provide ad-hoc rules/signatures/modules to try to address these issues, it is very important to note that this may create a false sense of security in your organization, and will potentially still leave you exposed. Given the complexity and degree of customization of SAP applications at most organizations, generic security solutions will miss attack scenarios (false negatives) or alert on regular usage (false positives). Furthermore, while this threat report details a specific vulnerability, information security teams have to keep in mind that SAP has issued over 3,000 security patches to date, currently releasing an average of 30+ per month. Therefore, deep application intelligence into SAP business applications which is context-aware and automatically adapts to your specific implementation, is required. This kind of solution can then be integrated into your existing security solution set to provide you with holistic protection.
Q14: Why hasn't this type of risk come up in my external audit?
A14: Traditional audits do not typically look into these types of risks. We anticipate external audit firms will extend their current controls (which are mostly related to Segregation of Duties) to address SAP cyber security risks in the near future. The status-quo is clearly not sustainable, as these risks can be exploited to modify financial information, steal sensitive data and disrupt business-critical processes. We highly recommend organizations to evaluate their internal audit process to ensure they are incorporating these newer type of controls to manage business risk appropriately in advance of this happening.
Q15: How can Onapsis help?
A15: If you have never analyzed the cyber security level of your SAP applications, the first logical step is to understand what your current situation is and to understand the potential business risks. We can assist by performing a complementary Business Risk Illustration service at your organization.
Additionally, implementing a solution that provides continuous monitoring will ensure that your SAP system are always protected against vulnerabilities such as the Invoker Servlet. In this case, our customers have had the relevant capabilities to address this issue since 2010. The Onapsis Security Platform delivers a near real-time preventative, detective and corrective approach for securing SAP systems and applications. You can learn more here.