The State of SAP Security: 2025 Vulnerabilities, Exploits & Lessons Learned

Hello, everyone, and welcome to today’s webinar, the state of SAP security. My name is Cecile Gilloy, and I will be managing today’s session. Before we get started, I have some housekeeping notes. First, I want to point out the questions module within the ON24 platform. If you have any questions, please enter them at any point during the presentation. And if time allows, we will answer whatever questions we can at the end of the session. You can always adjust the size of the media player on your end to make it bigger or smaller depending on your preference. And finally, please note that this webinar is being recorded and a link will be sent to you. Now, I’m going to pass it over to our presenters. With us today, we have JP Paris Ichigoian, Chief Technology Officer at Onapsis and Paul Rodansky, Director, Security Research at Onapsis, who will talk us through the key lessons from twenty twenty five, recent vulnerabilities and practical guidance to help you strengthen your SAP defenses for twenty twenty six. And with that, there’s a lot of things that are going to be covered today, so I’m handing it over to our presenters to kick it off. All right, thank you, Cecile. Hello everyone, for joining us. I hope you can hear me all right. I had to disconnect for a second. Paul, is it coming out good? Perfect. Thank you. Really looking forward to this session. We are gonna be wrapping up the year even though we are in mid November still, but so many things have been going on during twenty twenty five that we felt, it was, necessary to do a review at this time and and really share the insights of extremely an extremely busy year and, definitely a turning point from the SAP cybersecurity perspective. But as Cecile mentioned, we have a lot of things to go through. We’ll start with the intros on this side, JP, CTO and cofounder of Onapsis. I’ve been working cybersecurity for SAP for for a long time, already, more than fifteen years. My background is technical, going deep into the vulnerabilities, assessment, and really understanding the weaknesses of SAP applications, ERP applications in general, but also helping customers, SAP customers addressing and securing their implementations. Paul? Thanks, JP. Yeah. Thanks everybody for joining us here today that we can walk through this year twenty twenty five review together. My career has spanned threat intelligence, cybersecurity, threat research, engineering for threats for a long time. So it’s a pleasure here to be working on SAP Cybersecurity and to go through this year and review with JP and you together. Awesome. Thanks, Paul. Alright, so this is a little bit of introduction to the Anapsis Research Labs. We’re the firm that leading incident response companies come to when it involves SAP cybersecurity. We’ve been founded sixteen years ago and in that sixteen years worth of time, the Anapsis Research Labs has worked with CISA with Germany’s BSI with the Department of Homeland Security and especially the SAP Product Security Response Team. In that time, we’ve discovered over one thousand zero days, CISA has issued six critical alerts based upon our research. We’ve attended lots of different conferences, the most notable ones here are say conference and DEFCON. We’ve been featured many times in a lot of different journals, news sites, CNBC, fortune, you name it. We do a lot more than what’s on this page. So not only do we focus on finding vulnerabilities and working with SAP and other agencies to make sure that those vulnerabilities get patched. We also run a global threat intelligence network where we monitor for active attacks. And when we see those attacks, we get that information out to you. We get that information out to these agencies as well as to SAP. We also do other types of services like performing pen tests, so we can come into your environment and we can stress test the security controls that you have in place in protecting your SAP landscape. We do incident response as well. So if you have any incidents with your SAP application, we’re the ones that you can call and we can come in and help with that. We can move on to the agenda. Thanks, Paul. We have a definitely a packed agenda for today, but just for reference, we added this slide. We’ll start with an intro on cybersecurity for SAP, why it’s important. When we talk about vulnerabilities affecting these type of applications, why why are we talking about this, differently from other potentially other web applications or other specific applications that organizations may have? Well, these are different type of risks. We’re talking about business risks. Some of these vulnerabilities, some of these attacks that we have seen happening during twenty twenty five well, started with an unauthenticated compromise. Directly compromising SAP applications, achieving full privileges, accessing from the outside or internally through not Internet facing applications. The these attacks granting full privileges allow allows attackers to bypass any existing access controls or SOD protections, and in the worst cases, leaving no traces to identify what happened in the SAP system but also outside on the infrastructure surrounding SAP. This could lead to malicious or unauthorized business activity. Right? Because we are talking about business applications, any type of business process that is supported and executed through this technology, this infrastructure could be abused of. Modification of financial records, deployment of ransomware, exposure of PII data, corruption of business information, and also disruption of the business. So just thinking about the availability of services. Think about how much how long an organization could survive if SAP applications are down for an hour, two, a day. Well, some of the incidents and and issues that we’re gonna be talking about today involve significant downtime leading to significant business outcome to some organizations. But also, again, because of the nature, these are not typical or or regular SAP regular web applications. Because of the type of data, because of the type of processes that are being supported by these applications, we are talking about, heavily regulated scenarios where there is potentially significant liability if this data if these processes are not properly protected and if they are subject of a breach or a compromise of data, this could have a significant impact to the organization, not only from a financial perspective but also from a regulatory perspective. But then going back to the basics, when when we talk about risk in general, not only for SAP, right, in in general, it’s there’s a simple equation that puts risk as a probability times impact. But now putting the SAP lenses into it, when we talk about the probability aspect of someone breaking into an SAP application, well, that’s been changing. Right? So now thousands of known threat actors are targeting SAP applications of all different types, ransomware groups, financially motivated, state sponsored. There is automated and manual exploitation of SAP applications SAP vulnerabilities across SAP applications continuously. We’re we’re gonna talk about that as well. Ransomware, with and malware has knowledge and is customized to be able to run and be effective on SAP applications as well. The impact of that is that when ransomware runs in your organization, it’s also gonna be affecting your SAP application. Cloud on premises, everything in between, we are seeing SAP applications exploiting in terms of the different technologies, different environments, all interconnected, so the attack surface continues to grow. Now the impact well, I don’t need to tell you about the impact of a of a compromise of SAP. Right? Because you you live and breathe, how important SAP applications are to your organizations. So you better than anyone know how important it is or how critical it would be, downtime of any SAP supported process in your organization. So combining those things, we believe that, risk is at an all time high in terms of, vulnerabilities being exploited and SAP systems being compromised, and and it’s important to to address that. Alright. So we put this together as a year in review even though, again, like, we are still mid November. Hopefully, no no more surprises, during the rest of the month and and December, but who knows? Right? Twenty twenty five is shaping up to be, one of the most dangerous years for SAP security. We are seeing a thirty nine percent increase in vulnerabilities year over year, even though the year hasn’t finished yet, and twelve percent increase in in critical issues as well. And this realization being the number one critical threat. And July alone bringing thirty two vulnerabilities with six critical issues. So this year has been bringing a lot of vulnerabilities that SAP organizations, SAP customers have been having to address and react timely to prevent being compromised. And this is just in terms of putting this into context, November patch day was a few days ago. Still for the year we have December ahead, but having November patch day behind us, I wanted to call out the the great work that the Anapsis Research Labs keeps doing, not only because this is helping SAP customers that use Anapsis and our customers, and, of course, we we go and and help our customers significantly giving them, specific insights and and information. But this is, all in all, SAP applications are more secure month after month due to the contribution of the Onapsis Research Labs, and this is across the entire customer base of SAP. Right? So this is a shared mission that we have of securing these applications, and and I’m really proud of the team the team’s contribution periodically closing gaps across different SAP technologies of different types in s four HANA, in HANA, in Netweaver, in different components because they spend time and dedication and projects analyzing and securing, improving the security of these systems. And if we look at twenty twenty five, also in the context of the last couple of years, we are seeing this year also bringing a significant number of vulnerabilities. As I mentioned, definitely a big spike from twenty twenty four, but even looking backwards for from the past several couple of years, we are forecasting, being the the highest number of patches or vulnerabilities addressed for the from twenty seventeen. Right? So, this is due to many factors, including threat actors actively targeting SAP applications leading to new patches, new areas of of risk that that organizations need to address. And, again, going back to the contribution from the synopsis research labs, just looking at twenty twenty to twenty twenty four, the team has been responsible for contributing to SAP seventy five vulnerabilities that led to high priority and hot news patches. So these are CVSS really high CVSS, but overall reported two hundred and fifteen vulnerabilities. And then twenty twenty four and twenty twenty five also, we have other like, more contribution even to this. So this team is continuously dealing with understanding and and and improving the security of SAP applications, which is something that helps the entire community. A different way of looking at the, the vulnerabilities. Well, we saw the numbers, increasing. Now if we look at the CWEs, that’s the category of vulnerabilities. Right? The the type of vulnerability. And there are different type of vulnerabilities. There are many CWEs across the the patches that SAP provides, But, there are two things here to call out. One is a very well known, type of vulnerability called cross site scripting. While this one was, the highest number of patches in twenty twenty three, That’s been decreasing. Right? Web vulnerabilities are still very pervasive, very important because those applications could be Internet facing. These type of vulnerabilities are typically used in in phishing campaigns and other type of of attacks. But then on the flip side, missing authorizations have been consistently increasing since twenty twenty three to a high almost a quarter of the patches are around, missing authorizations, right, or that category. So this is another way of looking at it, really understanding how those classes of vulnerabilities, change, and and that gives us also a different perspective of the type of vulnerabilities that are being found and addressed by SAP over time. The in terms of the security notes, more in-depth analysis in in the details of the security notes. Well, twenty twenty five from January to November, we have the the many different security notes addressed. We have two zero seven new and updated notes. We have twenty five hot news, an average of two per month. We have thirty seven high priority notes. Those are the ones that are between seven and nine, an average of two point five per month per month. So combining hot news and high priority nodes, this this is significant number. Right? Those are the the vulnerabilities that typically take the the most of the attention of, of basis administrators when they need to deal with the timely deal with SAP patches. In terms of the components, well, there isn’t a single component which was mostly patched. There is three, solution manager, web GUI, and business intelligence. Those are the three components with five vulnerabilities or five patches each. Up to date, the contribution from the analysis research labs in twenty twenty five has been sixty vulnerabilities, accounting for fifty percent of hot news patches during twenty twenty five. While from twenty twenty to twenty twenty four, I told you it was twenty five percent, well, this year due to the, the increase on the vulnerabilities actually exploited and the the focus on vulnerabilities that were critical for Tredactors, so we we were able to find those before Tredactors continue to exploit them. Well, that accounts for fifty percent, so that’s that’s another, another area really to be to be proud of from this team. And some other stats, twenty twenty four to twenty twenty five, like, increasing the total number, critical risk, cloud vulnerabilities, vulnerabilities affecting components that are running in the cloud. There’s also been an increase there, and the CBSS in average has been increasing as well. So all indicators that these risks are increasing from twenty twenty four to twenty twenty five, so we need to pay attention. Let’s talk about the most notable vulnerabilities in twenty twenty five. Well, the number one most notable vulnerabilities or, let’s say, type of vulnerabilities in twenty twenty five is the deserialization type of vulnerabilities. Right? And there is a reason for that because this started as a zero day attack. They started back in March twenty twenty five threat actors. A threat actor or a group of threat actors started exploiting automatically or massively exploited over the Internet a zero day vulnerability that wasn’t known before. This while this was a combination of missing authentication and deserialization, the critical component of this was the deserialization part with a very specific gadget that allowed for common execution and file deployment. Right? Basically, to do anything. So this one I think was CVE twenty twenty five three one three two four. The the patch was released in May, by SAP. Also, a follow-up patch was released in in June, a month later by SAP as well addressing the the deserialization specific component of that. But then we had other vulnerabilities being identified on different SAP endpoints and which could have been exploited with this exact same gadget that was used to exploit CVE twenty twenty five three one three two four. So all of those entry points were also addressed by SAP. All of these vulnerabilities were reported by the Onassis Research Labs to SAP, ultimately closing the loop with security recommendations and a white list approach on on the configuration side of Java preventing potentially other endpoints from being exploited. So that’s a good, a good proactive work between OnAbsys and SAP, to ultimately close these potential risk, affecting organizations. And the other notable vulnerabilities are basically the web vulnerabilities. There’s been many, web facing vulnerabilities, cross site splitting, open redirects, server side request forgery. There are why these are important? Because web applications could be Internet facing, or let me put it in a way, if you expose an SAP application to the Internet, you’re gonna do it through a web interface. These type of vulnerabilities have to be addressed as well because this could be used against potentially Internet facing applications. Alright. And with that, I’m passing over to to Paul. Thanks, JP. Thanks for walking us through those slides. Now we’re gonna walk you through the next couple of sections. This current one, the new SAP threat landscape. So in twenty twenty five, up until this year, there’s been a lot of talk about the theoretical, right? The theoretical threats towards SAP applications. Twenty twenty five has shown that those threats have been realized. They’re active, they’re persistent. It started off with the zero day that JP was talking about and we’re still seeing in our global threat intelligence network that those attacks continue every day. They’re just not going away. During that period from twenty twenty four to this year, we’ve seen that two hundred over two hundred percent increase in active exploitation of SAP vulnerabilities. Ransomware groups are now weaponizing these zero days and mass exploitation campaigns. Alright, cyber attacks against SAP applications are accelerating. What complicates things further is that criminals are very actively targeting and attacking SAP systems around the world. Along with SAP and CISA, Onapsis has been warning of this growing threat for years. Recent Onapsis research based on monitoring in our Global Threat Intelligence Network and from our incident response engagements demonstrate that we’ve already hit a key inflection point. Now that the Pandora’s box is open, and a large number of high profile sophisticated and well funded cybercriminal ransomware groups are heavily investing their resources and attacking SAP systems. It’s cause and effect. Threat actor groups state sponsored by Russia and China are extremely knowledgeable sophisticated attacks. The time it takes for them to exploit SAP has decreased over time as they’ve become more proficient. Simultaneously, it’s no surprise that the number of ransomware attacks on SAP applications have risen at the same time. If you’re better at exploiting, you’re going to get better access faster and deploy that ransomware. See if I can bring up there we go. In fact, Onapsis Research Labs has seen a robust dark marketplace for SAP exploits and data with a massive increase in the number of discussions and sales of hacking tools, exploits, access to vulnerable systems with backdoors, and SAP data. The aggressive growth here is an indicator of a broader trend of more programmatic criminal monetization around SAP data. As a result, the Anapsis Research Labs are also observing public exploitations of SAP vulnerabilities within seventy two hours of patches being released by SAP on Patch Tuesday. Some we’ve seen as fast as twenty four hours. That’s insane, especially when you consider how quickly your teams patch critical systems, if at all, due to having to plan downtime. The business implications for enterprises worldwide is dire. As a very recent example this year, two critical SAP Zero Day vulnerabilities were targets of a massive active exploitation campaign hitting critical infrastructure and mission critical industries worldwide. The patches were released at the end of April and early May, but the attack truly started at the beginning of the year. Many incident response organizations have attributed these attacks to well funded state sponsored China Nexus and Russian linked threat actor groups. Thousands of organizations and utilities were compromised in the first wave of attacks with thousands more affected and opportunistic follow on attacks. This attack campaign is still carrying on even today and the business impact is being felt far and wide. So, we talk about the China and Russian backed state sponsored groups. Here’s an example of some of those. So, the state sponsored include APT forty one, Erithlomia, a p t ten, the financially motivated ones like fin seven and fin thirteen. And then we see the ransomware groups, storm twenty four sixty, shiny hunters, scattered scatter spider lapses. Why are they targeting SAP applications? As we’ve seen in prior research that we did jointly with Flashpoint, there was a lot of interest in the underground for SAP in trying to understand it. And so they were learning about what SAP holds the business critical information. So once they start targeting SAP, they’re doing it to deploy that ransomware, they’re doing it to exploit payment systems and exfiltrate financial statements. They’re performing, we’ve seen them performing financial fraud over lengthy extended timeframes. So for example, we’ve seen FIN thirteen walk away with thirty million dollars We’ve seen exfiltration of privileged SAP credentials, and they’ve pivoted to other internal IT assets. This graph, the left side is based off of Shadow Server Foundation. I don’t know if you’re familiar with the Shadow Server Foundation, but they have sensors all around the world that monitor for activity for malicious activity. So when we take a look at their dataset over the course of this year, we’ve mapped some of the most targeted CVEs against SAP. And what’s interesting here is the blue line when we take a look at CVE twenty twenty five, thirty one thousand three hundred twenty four. This is that zero day that JP was talking about initially that came out earlier this year, that the patch was released. This is the zero day where we’ve seen 1000s of companies get compromised. Now in particular, with this peak in August, that’s when the group Shiny Hunters released the exploit for the zero day. So up until that time, the exploit of this Java deserialization attack was limited to only those threat actor groups. From our perspective, because of our global threat intelligence network, we were able to capture that attack early on and then we were able to understand that work with SAP to make sure that the root cause was being patched and addressed. However, when Shiny Hunters released that exploit back in August, we can see Shadow Server showing that the attacks just grew from that point forward. On the right hand side, we’re looking at the CISA Kev, it’s their known exploited vulnerabilities catalog. This is a list of CVEs that targeting SAP that are actively being exploited today. So please grab a snapshot of that CVE list and make sure that those CVEs are being addressed in your environments. As part of the research that we’ve done in the underground, we walked away with understanding the value of these vulnerabilities. So there’s a couple of different angles when you take a look at the value for these vulnerabilities. One, they’re being used as to what we’re talking about in the prior slide, they’re being used to gain access into your systems to be able to continue doing additional damage to your environments, whether it is to compromise SAP and hold the organization to ransom, or whether it’s to conduct any other types of attacks. But we can see that the value of these exploits are are really valuable. Two hundred and fifty thousand dollars for an exploit targeting SAP just blows my mind. Okay, so this is an interesting graph. This is based off of Mandiant’s time to exploit trends affecting business applications. They’ve been doing this for a few years now, but if you take a look at the graph, you’ll see from twenty eighteen, twenty nineteen down to twenty twenty four, the time it takes for threat actors to compromise, to exploit these vulnerabilities has been rapidly decreasing, even to the point where in twenty twenty four, sometimes the exploitation is happening before the patch gets released. That’s when we’re talking zero days now. The other lesson to learn from this is that organizations need to continue to focus on maturing and having better systems in place to be able to identify the risks in their environments, to identify quickly what the vulnerabilities are and to get them patched. And the other side of the house too, is that sometimes waiting on a periodic basis to apply these patches is no longer enough. You’ll have to have teams in place or processes in place that take a look at not just the CVSS score, but to understand the impact because a lot of times we see vulnerabilities are chained and a particular CVE in isolation might not gather the impact or attention that it deserves. But when you take a look at the whole and understand the impact to your organization, it may actually require immediate patching. What we also see is that from the mandate report is that older vulnerabilities are still viable targets for threat actors. We’ve seen that in the prior slide with the CVE that CISA keeps in their Kev catalog. As we’ve seen CVEs as old as from twenty ten that are still actively being exploited today. In the case of one particular attack called recon, in our Global Threat Intelligence Network, we’ve seen active exploitation as soon as seventy two hours after the patch released by SAP. We’ve taken a look at that type of information. Now let’s get into the breaches involving SAP. Now, on Appsys Research Labs, we’ve been involved in a lot of incident response. We’ve been brought in by incident response organizations, we’ve been called in to companies from all over the world. We’re not able to talk about those, but what we can do is we can talk about the ones that are public. And even then when we’re gonna be presenting that information here, we have blocked out the names. We want to be sensitive to that because it’s not a good place to be in a place where you’re compromised. There’s a lot of stress, there’s a lot of work that needs to be done by incident responders and people at those organizations to deal with the breaches that have occurred. So a lot of empathy to the people that have gone through these breaches. Okay, at around the turn of the year, we’ve seen some public filings in court, we’ve seen some public information released about a beverage manufacturing company that suffered from a SAP cybersecurity breach. So this diagram or this picture here on the left, this is from a court filing and again, we’ve blocked out sensitive information, but they went ahead and stated that they were filing for bankruptcy because it was due to an SAP security breach. And we can see the dates from the beginning of the fiscal year to filing date from January first, up through October thirty first. The attackers disrupted their operations by deploying ransomware on SAP, which disabled their SAP systems and they had to switch back to paper. The attack is cited by the CEO as one of the key factors leading to the filing for this bankruptcy. Mentioning, JP did mention earlier on regulatory and compliance. It doesn’t matter whether you’ve been breached and your SAP systems are not working, you’re still liable to do reporting, especially if you’re a public company. Now, let’s get back to the big news, this huge inflection point for SAP security as of this year because of this zero data, this Java deserialization attack. Let’s step through the facts of the timeline. April twenty second, the first public report of the compromises that were involving this attack. Now, no one at that time really understood what was going on. There was information being released to try and help customers. As time was going by and as we were looking at the attack and at the information that we had collected in our Global Threat Intelligence Network, we began to understand that what the deeper situation was, which was that Java deserialization attack. But before we understood that, SAP did release an emergency patch on April twenty fourth. There was a new wave of mass SAP exploitation observed on April twenty sixth. On the twenty ninth of April this year, CISA adds the thirty one thousand three hundred twenty four CVE to the Kev catalog. Thanks to the work that we did with the attack and understanding this particular gadget chain, we partnered with SAP to help them understand what was happening and because of that on May thirteenth, SAP released the second patch based upon our new research involving this gadget chain. On May thirty first, there was more SAP exploitation follow on attacks observed. And on August fifteenth, we go back to Shiny Hunters where they went ahead and released the exploit code. This information will get into another chart that’s going to be based off of the work that we’ve done in incident response, it’s going to be based off of our Global Threat Intelligence Network. So let’s go ahead and dive into that. The timeline for this particular CVE thirty one thousand three hundred twenty four. So our initial, probes that we’ve seen in our global threat intelligence network, started back in January of this year. We were seeing the use of web shells, we were seeing the exploitation of living off We’ve color coded, the different colors in here so we can show what, is suspected to be linked to Russian ransomware groups as well as to post zero day threat actors mostly suspected and linked to the China nexus. And then of course in purple, we see what happens after shiny hunters had released the exploit. But before that August fifteenth, it was this exploitation of this Java deserialization gadget chain was limited to just these small threat actor groups. And so we saw the exploitation deploying web shells, we saw the exploitation of running remote code execution. There was a lot of damage done, a lot of companies were compromised. Recently released exploit for thirty one thousand three hundred twenty four. So let’s focus a moment on Shiny Hunters and they released this exploit on Telegram. It supports both modes. We’re gonna get into a little bit of what that code looks like. And it supports both versions of Netweaver seven point four and seven point five. With respect to both modes, it supported both the execution, both the installation and execution of the web shell as well as execution of remote code execution. Sophisticated post exploitation, we saw deploying remote access tools like Sakura, combining it with the theft of SAP credentials, pointing to a focused objective, long term persistent access to the organization’s most critical systems. We’ve seen custom tools, we’ve seen more advanced web shells with features like encryption and password protection. They’re targeting SAP specific assets. They focused on gathering sensitive information like SAP specific password stores. They wanted to know more about what these files were. They understand that their value for lateral movement and deeper compromise within the SAP landscape. And they showed clearly from our investigations that they knew the specific locations or commands to find them. Here’s some snippets from the exploit. We can see specifically like in this middle section, they’re looking for the version of Netweaver and in this particular instance, it’s an example of they found that version seven point five is running. We can see at the bottom that, this was made by scatter lapses hunters, shiny hunters, and they’re throwing a little dig towards CCP that they stole their zero day. There’s more here, but we wanted to just kinda highlight that that Shiny Hunters has stepped out and they’ve publicly revealed themselves as being behind this exploit code that they released. We’re gonna see a little bit more about them. Specifically with this, this is a global manufacturing company. Shiny hunters claimed responsibility for this, and they stated that they gained access exploiting the three one three two for the Java deserialization gadget chain attack. There’s been estimates by analysts that profit loss has been in excess of seven hundred million dollars and a revenue loss of over two billion dollars This really impacted the company and the community and the supply chain. So much so that the manufacturing operations were completely shut down for five weeks and they furloughed over thirty thousand employees. So we’ve seen reports here as we see the UK’s most expensive cybercrime. This is an interesting slide with the two images. This is all going back to shiny hunters, specifically to the last slide that we’re talking about with this global manufacturer. So Shodan is a website that shows potential vulnerable systems that are internet connected. And Telegram is a framework, it’s an application where you can go ahead and have communications or you can have group chats, you can have phone calls. With respect to what we have highlighted here, we’ve blocked out the sensitive information, but we have confirmed in that information that we’re showing that it ties back to this global manufacturer. So Shodan shows that at some point there was this www.portal. Blank dot com that was internet accessible and potentially vulnerable. And we can see that that’s tied to the image that Shiny Hunters had shared on Telegram that they had access right there already had gotten access into their SAP environment. They’re showing that what we’ve blocked out the www.portal. Blank, it’s the same systems and they’re showing that this is part of the evidence that they did get into the system. So the big takeaway before I go ahead and pass off to JP is that, again, this year has been an inflection point. We’ve talked about, is it important to keep your SAP system secure, whether it is publicly accessible or not? The answer is yes, for both. These threat actors are sophisticated, they’re focusing on SAP now, however, they have a large arsenal toolkit for other types of applications and infrastructure and internet of things, devices that connect to the internet. So even if your SAP systems are blocked from internet access, we have seen situations where these threat actors are coming through these ancillary applications or these ancillary technologies. And then once they get in, see they see your SAP systems and if you’re not patching them, they will and have been compromising those SAP systems whether you have them publicly exposed or not. So with that, I will hand over to JP where he will walk us through the MITRE ATT CK framework. Alright. Thanks, Paul. Yes. And and acknowledging that some of you may be SAP operators, SAP basis teams, team members, maybe some of you are from the IT security side. So from that perspective, I think it’s important to try to translate what an SAP attack or an SAP compromise means to the IT security community. And we are doing that through the MITRE ATT framework, which is something that most SOC operators and IT security people know and use, some of you probably on a daily basis. And in this case, we we have some examples of real attacks mapped into the MIRE attack framework. In one case, on one side, on the left side, actually we have the initial access where you see they can access through valid accounts, exploiting public facing applications, using spare phishing links, abusing of a trust relationship, or even having valid accounts to to connect to the system. Then it could be through previous escalation or to achieve persistence or to perform lateral movement. There are different techniques that, are used also when when it comes to SAP applications. And on the right side, basically on the impact, well, it could be exfiltration of data, data encrypted for impact, which means ransomware, financial theft, or service stop. All of these, observed in in real incidents involving SAP applications. So I think it’s a a good mechanism for us to really see and understand that, yes, SAP applications, happen to be very special, complex to some extent because they use technology that is very special and distributed and have a huge footprint in our organization, but then there’s there’s ways to map what an attack would look like, when it affects these applications. Also for reference, we added into the slides, well, when it comes to initial access, these techniques that are related to initial access, when we’re talking about SAP applications, what they mean. Also, previous escalation, lateral movement, persistence, all of these techniques as well. When we’re talking about SAP applications, what it means, what are the different examples that we have been observing on these applications. And to close this section on the impact side, well, we have some techniques that we have seen the reactors using and then some of the known actors that have been leveraging that in terms of achieving some type of profit or outcome out of the compromise of SAP applications. Okay. So we are coming to the end of the session. We’re gonna quickly touch base on okay. We have been talking about twenty twenty five being a critical year. And lots of vulnerabilities that customers need to address and patch, different threats that organizations have to address as well and monitor and be prepared for. So how do we do that? Well, on APSIS, we deliver the Onapsis platform which automates all of these processes. We do that for customers that run on premise or in the cloud, in the private cloud, but also we do that for customers that are in RISE with SAP. So we we know that many customers are moving to RISE. They are choosing that, that path, managed by SAP, but then in that environment, there’s many, many areas of, security controls that organizations are responsible to and they still own. With the Anaxes platform they are able to automate and manage these areas of potential risk. Yeah, that’s basically from a technology perspective, Onapsis platform. We work with SAP very closely, we work in RISE environments, we work in private environments, we address many areas, like application threat detect and response, vulnerability management, custom code, user configurations, secure configurations, compliance monitoring, Well, there are many different areas that we help automate and address with our technology. In terms of the the technology that I was mentioning, the Onapsis platform, there are different building blocks control for code security and DevSecOps, assess for vulnerability management, and defend for security monitoring or threat monitoring. Of course, we augment the Onapsis platform periodically with knowledge and threat intelligence provided by the Onapsis research labs. As you have seen, the the team responsible for reporting vulnerabilities to SAP periodically, working hand by hand with SAP to close some of the the most critical gaps. The only SAP endorsed, application addressing security cyber security for SAP applications, supporting a huge set of applications, and technologies across the SAP landscape. So wrapping up and we’ll have some time for questions. First and foremost, you need to understand what applications you have. The SAP applications, technology, the modules, You need to understand the attack surface and the landscape that you own. What are your responsibilities as well? What parts of your landscape are running in in on on your premises? What parts are running in public cloud, in private cloud, what parts are managed by SAP and RISE, how is that all interconnected. So all of that understanding comes with visibility. Be able to understand the vulnerabilities that are present on the system, manage those risks, those vulnerabilities, put a plan in place to prioritize and address the critical ones with the proper threat intelligence in place to be able to do that prioritization. But, also, it’s not about creating more silos or creating more processes. It’s about bringing your existing SAP applications to your existing processes that you already have for the most part. You most likely have vulnerability management running across your organization in involving all of your technologies, in most cases all but SAP. So bring SAP into your existing vulnerability management program, bring SAP into your existing SDLC, bring SAP into your existing SOC, and and instant response process, all of those. So integrate SAP into your existing security landscape and security processes. That’s the the way we have found more effective and efficient to to address security and and around SAP technology. Some helpful resources and, yeah, for you to to take a look at and and get. We have a lot of threat reports that we release periodically, blogs that we publish, advisories, in in our GitHub site. You know, we we release also open source tools when there are critical vulnerabilities that are, timely to address as well. So there’s many, many resources that I would recommend you to take a look at. And with that, we have some time for questions. Perfect. Thank you, JP and Paul. We have a ton of questions. Actually, I saw some were answered during the presentation earlier. Let me pick out three questions and for all the other ones that won’t get answered live, we will follow-up with you individually. So, me start with the first one. We have systems in place that assess our SAP landscape. Is this enough? Okay. It it depends on what assess means to you. So that’s if you’re talking about security, yes, you need to assess the security of your SAP landscape. You need to assess the security from a comprehensive perspective, right, all of the different domains, security domains. But then also you need to monitor from a security perspective the activity of the system. Right? Integrate your systems to the SOC, to security operation center, understand if there’s someone abusing of a vulnerability or privileges or or different scenarios that could lead to a potential incident. So that’s assessing the systems is good, it’s a good starting point. Now we need to drill down a little bit in terms of what you’re assessing and also identifying the additional areas of monitoring, secure development, different areas of security that also need to be addressed. Great, thank you and let me get to the next one. There are more announcements of exploitation attempts against SAP systems. Why do you think these incidents are increasing in frequency? Yeah, to be honest I think the threat actors are getting more knowledgeable about these technologies, and it’s proven by the exploit that we have seen. This this exploit was a deserialization gadget chain. It was completely new, completely customized for SAP technology, and also even supporting multiple multiple NetWeaver versions. So it was heavily customized, showing a deep understanding of SAP technology. So, that’s why it’s increasing in frequency of criticalities because are paying more attention. They they are becoming more knowledgeable about these technologies, and and we need to be as responsive as they are. Great and then I would say last question. Is there a way to check if a system has been compromised in the past using the recent vulnerabilities? Sorry, Cecile, could you repeat please? Yeah, sure. Is there a way to check if a system has been compromised in the past using the recent vulnerabilities? Sorry, we have so many questions that we’re gonna follow-up after this webinar with all of you. Yeah, there are ways. Unfortunately, this CVE twenty twenty five three one three two four was so critical that threat actors were able to do pretty much anything or everything on the system. Now that means also hide their trails. Depending on what technique was used to compromise the system, and I mean, like, the expert supported deployment of web shells, if that was the case, it’s easier to identify what happened on the system. But again if that threat actor executed and lived off the land, executed command directly, even deleted or created a reverse shell to its own managed infrastructure so more difficult. That in all cases, it demands a proper forensics analysis to be able to understand what happened on the system. But there are there are some scenarios actually at the beginning of the of this campaign when the patch was first publicly available and the news broke, we’re able to contact our customers and and organizations were very quick to react, and many of them actually avoided this becoming a bigger thing. So understanding isolating the the incident, understanding exactly what happened. So that was a good thing because then after the patch was released, we saw many other three reactors taking over systems that were previously compromised, and and this made things much, much worse. So the organizations that were able to react quickly, were were in a better shape. But, anyways, it’s it’s important to have your own processes for incident response, for vulnerability management so you know what to do when this type of news break and you can react accordingly. Yeah, and I’d like to add to that. I mean, we’ve seen situations where once compromise was successful, any evidence of files on the system were removed and we’ve seen the actual attack just living in memory. So it can be a very complicated situation to try and find the examples of compromise. And if you do need some help, it’s always recommended to bring someone who has intimate knowledge with SAP and understands the challenges with being able to do a response on a system that’s been breached. Great. I would say that’s a perfect ending. This brings us to time, as mentioned, for any other questions in the chat, we will be reaching out to you individually to get those answered as well. Also, just a brief reminder to everyone listening that this session has been recorded and the link to the recording will be emailed to you as well. With that, thanks again to JP and Paul and everyone joining the session today. Have a great day and goodbye. Thank you. Thank you. Thank you all. Have a good one.