Learn more about the joint cyber threat intelligence report, Active Cyber Attacks on Mission Critical SAP Applications, released April 6th by SAP and Onapsis.


< Back to Tag
Mar 02, 2022

SAP and Onapsis Release Joint Cyber Threat Intelligence Report Citing Malicious Attempts Attack SAP Applications

On Tuesday, April 6th, SAP and Onapsis released a joint cyber threat intelligence report titled Active Cyberattacks on Mission-Critical SAP Applications. This report was drafted following a month-long research study conducted by Boston-based information security research firm Onapsis that identified on-going exploit attempts being unleashed against core SAP solutions. Onapsis deployed a rigorous analysis of key security configurations of SAP development landscapes and performed a compromise assessment with a forensic investigation of at-risk environments to arrive at their findings. The severity of this report was underscored by the United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) bulletin outlining the on-going threat to active critical business processes such as: ●      enterprise resource planning ●      product lifecycle management ●      customer relationship management ●      supply chain management At this time, SAP, Onapsis, the U.S. CISA and it’s German counterpart the BIS are all recommending immediate action be taken to mitigate the impact of this on-going threat. The rationale behind this recommendation is captured in the form of the central findings of the official report related to this event: Researchers at Onapsis have recorded evidence of more than 300 automated exploitations targeting seven SAP-specific attack vectors with more than 100 hands-on-keyboard sessions from a wide range of potential state and non-state threat actors. There has been clear evidence demonstrated of sophisticated domain knowledge, including the implementation of SAP patches after services were compromised.

Malicious Actors are Actively Involved with Exploiting Mission-Critical SAP Digital Infrastructure

  Key SAP vulnerabilities have been weaponized within less than 72 hours of patch releases and new unprotected SAP applications provisioned in cloud (IaaS) environments are being uncovered and exploited in less than 3 hours.

The Window of Opportunity is Quite Small

On-Going Threat Have Both Security and Compliance Effects

Full exploitation is creating the potential for full control of unsecured SAP applications by working around existing security and compliance related safety precautions allowing attacks to steal sensitive data, commit financial fraud, and disrupt essential business processes with ransomware and other malicious programs that threaten to stop operations. These issues also create the potential to violate international compliance frameworks such as the SOX, GDPR, and CCPA among others. In this article we will cover everything you need to know about the on-going threat against SAP applications and what can be done to mitigate these threats.

The Window of Opportunity is Quite Small

Understanding What Onapsis Uncovered and Why it Matters for Public and Private Sector Organizations Around the World

 The joint report issued by SAP and Onapsis describes that between June 2020 and March of 2021 there were at least 1,500 cyber attacks conducted against SAP applications unleashed utilizing a broad range of methods likely connected to both state and non-state threat actors. Though companies such as SAP alongside Oracle, Microsoft, Adobe release information like this on almost a monthly basis, the severity of these on-going exploit attempts must be emphasized. According to SAP, while exploits are identified and mitigation steps are clearly outlined, many customers do not proactively address these issues for at times months and years down the line. This creates a real sense of urgency for service providers not only to address the technical challenges caused by these issues but also to work towards educating customers about cybersecurity resilience best practices. This SAP exploit event is classified as severe and on-going by both governments and commercial observers. Perform due diligence and take all necessary steps to protect the organization's you serve from this pervasive challenge that threatens organization reputation, operational efficiency, data integrity and exposes organizations to a massive range of security and compliance related challenges. The following issues must be addressed immediately: ●     CVE-2020-6287 is a critical authentication bypass issue in SAP NetWeaver Application Server Java allowing full account takeover ● CVE-2020-6207 is another critical authentication bypass bug, in SAP Solution Manager ● CVE-2018-2380 is a medium-severity flaw in SAP CRM, which allows an attacker to exploit insufficient validation of path information provided by users ● CVE-2016-9563 is also a medium-severity bug, this time in SAP NetWeaver AS Java. Remote authenticated users can exploit it to conduct XML External Entity (XXE) attacks, which allow them to interfere with XML processing ● CVE-2016-3976 is a high-severity directory traversal vulnerability in SAP NetWeaver AS Java that allows remote attackers to read arbitrary files ●     CVE-2010-5326 is an 11-year-old critical issue in the Invoker Servlet on SAP NetWeaver AS Java. It doesn’t require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request

Charting the Impact of An On-Going Threat Against Vital SAP Digital Infrastructure

SAP headquartered in Walldorf, Germany, was founded in 1972 and is a market share leader in enterprise resource planning (ERP), analytics, supply chain management, human capital management, master data management, data integration, and experience management known for its broad portfolio of modular and suite solutions available on premise, in the cloud, and in hybrid configurations. To put the scope of this on-going threat event against SAP in context, consider the following: ●     Though approximately of 80% of SAP’s customers are small and medium sized enterprises, their base of customers also includes 92% of the Forbes Global 2000 companies, 98% of the 100 most-valued international brands, companies tied to 78% of the world’s food distribution and producing 82% of the world’s medical devices  ●     As much as 77% of all financial transactions conducted in the world reach the SAP application environment at one stage or another ●     SAP software is used heavily across the public sector in governments as well as in areas of military, defense, and security for organizations such as the United States’ Army and NATO with 40% of its members using SAP solutions The more than 400,000 users of SAP software solutions include some of the largest and most influential organizations in the world. The on-going cybersecurity challenges and predicted fallout of this event cannot be underscored. It is absolutely essential that any organization utilizing SAP solutions to immediately apply mitigation efforts.

Charting the Impact of An On-Going Threat Against Vital SAP Digital Infrastructure We recommend operators of SAP systems review the Onapsis Alert Active Cyberattacks on Mission-Critical SAP Applications for more information and apply necessary updates and mitigations. We highly encourage you to download the threat report available in the above link to assess if you are at risk, and which actions to take immediately to protect your business. This report also details the specific techniques, tools and procedures (TTPs) observed by our experts, empowering defenders to respond to this activity as quickly as possible. Securing digital infrastructure is an on-going effort that requires vigilance and diligence when it comes to responding to emerging threats. Stay proactive by keeping yourself informed and follow recommended guidelines to secure your organization and safeguard mission critical processes and operations.

Recommended Threat Mitigation Efforts for SAP Users