Ch4tter: Threat Actors Attacking SAP for Profit

The Onapsis Research Labs (ORL) has extensive knowledge and expertise around ERP threats and vulnerabilities, working hand in hand with SAP to remediate the vulnerabilities that we continuously report to the SAP Product Security Response Team. 

Since the beginning of the year, the Onapsis Research Labs combined their knowledge with the experience and technology provided by Flashpoint, in order to access threat intelligence sources that are typically restricted and temporal by nature. This allowed us to get a deeper understanding of how the threats to SAP applications have been evolving over the past 4 years. 

We are publishing this report together with Flashpoint to help defenders protect their mission-critical SAP applications, warning organizations and raising awareness around the risks and threats of ransomware targeting SAP applications and data; new, highly sophisticated threat actor groups; and the observed increase in attempts to monetize SAP exploits and compromised data.

The goal of this report is to protect SAP applications, bringing awareness of the increased threat activity and growing risk to SAP applications. To that end, the threat intelligence and insights contained therein are relevant to teams responsible for SAP security, SAP administrators, Information Security and SOC operators/analysts, and other cybersecurity defenders. All of these groups bear some responsibility for the overall security, integrity, and risk reduction of an organization’s SAP application landscape. 

Short answer: YES. However, this is not necessarily a new revelation. Longer answer: Threat actors have been targeting SAP systems for years now in ransomware campaigns because that’s generally where the most critical data to an organization lives. SAP, Onapsis, and CISA have been warning organizations of this risk for several years now. What is worrisome from this new research is the aggressive trendline in ransomware attacks concerning SAP applications and data. 

Onapsis Research Labs analyzed activity on sites where ransomware gangs publicize their compromises. We charted a 400% increase in the number of ransomware incidents concerning SAP. Equally concerning, we’ve seen a number of well-funded and prolific ransomware, state-sponsored, and cyber criminal groups all “enter the market” – such as APT10 (responsible for the US Office of Personnel Management breach) and FIN13 (responsible for the theft of tens of millions of dollars in funds from organizations). These sophisticated threat actor groups will not only hold an organization’s data for ransom, but they will also exfiltrate that same data and offer it up for sale on the criminal market – effectively reaping double the criminal funds. Additionally, we see evidence of modified ransomware payloads that are more “SAP-aware”, allowing for more efficient identification, encryption, and data extraction than previous versions. All of this speaks to a very real, growing threat to global organizations running SAP.

The results of this research do not introduce or highlight any new vulnerability or zero-day. In fact, what’s most striking about this research is that all of the CVEs mentioned in this report were previously patched by SAP, at the bare minimum, over one year ago. In most instances, the vulnerabilities were actually patched multiple years ago. This speaks to the lack of proper governance at organizations and common challenges of patching complex critical SAP environments. 

In the appendix of this report, we’ve included a comprehensive list of CVEs that were identified during the research as actively being exploited and/or leveraged by threat actors or mentioned as CVEs of interest. 

While we’ve identified a large number of vulnerabilities that are actively being exploited by threat actors, It is important to stress that this is not an all-inclusive list – i.e., attackers could target any one of thousands of known SAP vulnerabilities that may be unpatched in an organization’s environment. Therefore, even though yes – it is important to immediately address those unique, identified vulnerabilities, it is also critical for you and your team to prioritize and address patching or mitigating SAP vulnerabilities as you would with any other existing production application. Arguably, even more so, considering the wealth of confidential and critical data that flows through these systems.

Naturally, the immediate risk is if your organization has any of these actively-exploited vulnerabilities unpatched in your SAP environment. It’s imperative that your teams work to audit and patch your SAP systems for these vulnerabilities as soon as possible. 

It’s important to note that for organizations where SAP is critical for the day-to-day operations of the business, any instance where SAP systems are taken offline and/or encrypted can have a significant financial and operational impact. Many organizations quantify this risk in the order of millions of dollars per hour or day, in consideration of unplanned downtime and disrupted business-critical processes across manufacturing, shipping, supply chain, sales, payroll, financial reporting, and more. 

Additionally, the US Securities and Exchange Commission (SEC) introduced a set of new cybersecurity regulations on “material impact” in 2023. These rules further increased the regulatory, reputational and financial risks for SAP ransomware attacks. Beyond the ransomware risk itself, the additional risk for organizations lies in the additional transparency mandated by the SEC for “material cybersecurity incidents” (of which an SAP ransomware attack qualifies). The rule requires timely disclosure to the public within four days of determining materiality via SEC Form 8-K.  Therefore, risk analysts now have to consider that broader public effect of security transparency (e.g., stock price changes, brand issues, executive and board responsibility) in their risk quantification calculations for the enterprise.  

Ultimately, not being aware of the risks is no longer viable for organizations. Organizations must ensure the right level of governance around cyber risks that could affect ERP (not just SAP) applications. Start with a clear understanding of their Internet-facing ERP applications and then ensure this asset, gap, and threat visibility is accessible to all those responsible for securing critical systems. Follow this up with more proactive assessment of potential vulnerabilities and risk management for ERP applications.

Threat actors are entities that are responsible for a campaign or an incident that impacts the security of an organization or its data. Throughout the development of this report, the team was exposed to evidence of diverse threat actors that are actively targeting and successfully exploiting SAP applications. 

There is a common misconception among many SAP customers that having SAP applications “behind the firewall” will protect them from external threats. While we wish security was this easy, reality is sadly very different. Even if there are no Internet-facing SAP components , there is still a large number of threats that target SAP applications behind the firewall. The following article provides additional insights into the topic: 8 Reasons Perimeter Security Alone Won’t Protect Your Crown Jewels 

The cloud provides many advantages and efficiencies, and, in certain use cases, security can be one of them. However, in most cases, we have found the opposite to be true. Many SAP customers believe that by moving to the cloud they are secured (or, at least, free of responsibility for security). As a result, we have frequently seen a relaxation of security controls, processes, access, and certain protections. 

In all cases with the cloud, there is a shared security model where both the cloud provider and the cloud customer bear responsibility for various security controls in a cloud environment. For example, a cloud provider could be responsible for ensuring that their cloud platform is encrypted and its servers are monitored for security incidents. SAP does a great job in protecting the underlying cloud infrastructure used by customers. However, the cloud customer bears responsibility for application authentication, authorization, configuration, interfaces, custom code, and many other areas in the cloud, as well as monitoring the applications and malicious usage of the cloud application and data.

Moving your SAP applications to the cloud will not transfer security responsibility and accountability away from your organization. You are still responsible for the data hosted and processed by those applications. 

If you are an Onapsis customer of Assess and Defend, the Onapsis Platform has been protecting you already. If you subscribe to our Threat Intel Center, you have one-click access to this threat intelligence and a consolidated view of all affected assets in your landscape. If you are not a Threat Intel Center subscriber, reach out to your account executive and ask about a free trial. 

Finally, if you have never analyzed the cybersecurity aspect of your SAP applications – whether due to overall complexity or a lack of SAP knowledge in your security team – the first logical step is to get an understanding of your current situation regarding the potential business risks to your critical SAP systems. This can sometimes be a daunting task, but we’re here to help. Please contact us at [email protected].