- Jul 27, 2015
Active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications, researchers are warning.
Adversaries are carrying out a range of attacks, according to an alert from SAP and security firm Onapsis issued Tuesday – including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and other malware. SAP applications help organizations manage critical business processes – including enterprise resource planning (ERP), product lifecycle management, customer relationship management (CRM) and supply-chain management. From mid-2020 until today, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances.
Who’s at Risk?
Unfortunately, the ongoing attacks could have far-reaching consequences, as SAP noted in the warning: “These are the applications that 92 percent of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy,” the alert noted. “With more than 400,000 organizations using SAP, 77 percent of the world’s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more.” Government agencies should take particular notice of the spate of attacks, researchers said.
There is “conclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications, through a varied set of techniques, tools and procedures and clear indications of sophisticated knowledge of mission-critical applications,” the alert reads. “The window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.”
Interestingly, the cyberattackers in some cases are patching the exploited vulnerabilities after they’ve gained access to a victim’s environment, Onapsis said.
“This action illustrates the threat actors’ advanced domain knowledge of SAP applications, access to the manufacturer’s patches and their ability to reconfigure these systems,” according to the firm. “This technique is often used by threat actors to deploy backdoors on seemingly patched systems to maintain persistence or to evade detection.”
Cyberattackers are actively exploiting known security vulnerabilities in widely deployed, mission-critical SAP applications, allowing for full takeover and the ability to infest an organization further.