Security researchers are warning of an influx of attacks targeting SAP enterprise applications that have not been updated to address vulnerabilities for which patches are available, or that utilize accounts with weak or default passwords.
Starting in mid-2020, threat actors launched at least 300 successful attacks on unprotected SAP instances, according to a Tuesday report released jointly by SAP and Onapsis. These include exploits of six vulnerabilities, some of which can give full control over unsecured applications. Though SAP has released patches for all of these vulnerabilities, the targeted businesses had not applied the updates, or were using unsecured SAP user accounts.
SAP recommends customers to apply the security and review patches immediately after they have been released via the SAP Security Notes," according to an SAP spokesperson. "SAP takes customer security seriously and collaborates with external security researchers including research companies in ensuring that vulnerabilities discovered in our software are patched at the earliest.
Impacted are various SAP applications, which help organizations manage their mission-critical business processes, including software for enterprise resource planning, supply-chain management, product lifecycle management and customer relationship management. More than 40,000 organizations utilize SAP applications, including 92 percent of the Forbes Global 2000, according to SAP.
For organizations that have not taken the steps to secure their SAP software, the attacks could have dire consequences, according to an alert this week from the U.S. Cybersecurity & Infrastructure Security Agency (CISA). If exploited, the flaws could enable attackers to steal sensitive data, launch financial fraud or ransomware attacks, disrupt mission-critical business processes or even halt operations.
“We captured over 50 hours of hands-on-keyboard exploit activity during the nine months of observations,” Mariano Nunez, CEO of Onapsis, said. “In one instance, we saw an attacker connecting from five different IPs with geo-location in four different countries remotely breaking in and accessing sales orders and sensitive HR data, which would be a direct violation of GDPR.”
“Sophisticated threat actors have been observed chaining together multiple vulnerabilities to target specific SAP applications to maximize impact and potential damage."
Multiple attacks stemmed from the targeting of unsecured, high-privilege SAP user account settings. These accounts, installed on SAP environments during deployment and configuration, used default or weak passwords, making it easy for attackers to launch brute-force attacks and compromise the accounts.
Researchers also observed attackers targeting six flaws, including CVE-2020-6287 (in SAP NetWeaver Application Server Java systems), a critical flaw that, if exploited, could give attackers an initial foothold on the targeted application. Attackers also targeted CVE-2018-2380 (in SAP’s customer relationship management software) and CVE-2016-9563 (in SAP NetWeaver AS Java), which could give authenticated attackers operating system-level access to launch various further attacks; and CVE-2010-5326 (in SAP NetWeaver AS Java), which allows threat actors to execute operating system commands without authentication and ultimately gain full control of the SAP business information and processes.
Attackers also targeted CVE-2016-3976 (in SAP NetWeaver AS Java) and CVE-2020-6207 (in SAP Solution Manager). These flaws, if exploited, can be used for lateral movement across the business network in order to compromise other systems.
“Sophisticated threat actors have been observed chaining together multiple vulnerabilities to target specific SAP applications to maximize impact and potential damage,” according to the report.
The report also pointed to cybercriminals becoming more sophisticated overall in their attacks on software from SAP, which deploys patches on a regular basis every month. Researchers found exploit attempts in some cases were observed in as little as 72 hours from the release of a patch. And, new unprotected SAP applications that were provisioned in cloud environments were discovered and attacked in less than three hours, they said.
Both SAP and Onapsis recommend organizations protect themselves from these attacks by immediately performing a compromise assessment on SAP applications that are still exposed to the targeted flaws, with internet-facing SAP applications being prioritized. In addition, companies should assess all applications in the SAP environment for risk as soon as possible and apply the relevant SAP security patches and secure configurations; and assess SAP applications to uncover any misconfigured high-privilege user accounts.
“While SAP issues monthly patches and provides best practices for configuring systems, it is ultimately the responsibility of the customer or their service provider to apply mitigations in a timely manner and properly configure systems to keep critical business processes and data protected and in compliance,” according to the report.