SAP Systems are Targeted by Threat Actors within 72 Hours After Security Patches are Released

cyber security

Threat actors attack on-premises SAP systems within 72 hours of security patches being issued, according to SAP security firm Onapsis.

On-premises SAP systems are attacked by threat actors 72 hours after security patches are posted, according to a joint study published by Onapsis and SAP.

Threat actors reverse-engineer SAP patches in order to build their own code that exploits recently patched vulnerabilities and targets SAP installations.

SAP and Onapsis collaborated with the Cybersecurity and Infrastructure Protection Agency (CISA) and BSI, a German cybersecurity agency, to warn SAP customers to instal security updates as soon as they were available and to analyse their on-premises installations.

“The window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours” reads the report published by Onapsis.

“Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations. These threats may also have regulatory compliance implications for organizations that have not properly secured their SAP applications processing regulated data”

Threat actors launch sophisticated attacks against mission-critical SAP systems, stealing sensitive data and disrupting critical processes. Attackers attempted to gain access to SAP systems in order to change settings and users, as well as steal confidential business data.

According to the paper, cyber attacks target new unsecured SAP applications deployed in cloud (IaaS) environments in less than three hours.

Furthermore, attackers used both proof-of-concept code and brute-force attacks to gain access to high-privileged SAP user accounts. The aim of these attacks was to gain complete control of a SAP installation in order to change settings and user accounts in order to steal business data.

Expert attackers have a deep understanding of the SAP architecture, and they use a chain of vulnerabilities to target particular SAP applications to optimise the efficiency of the intrusions. Experts have also observed the use of private exploits in many instances.

“It is important to note that while most of the observed threat activity is related to the use of publicly-available exploits released following SAP patches, Onapsis researchers have detected indicators of custom/private exploits not available in the public domain,” continues the report.

To investigate attacks against SAP installations, Onapsis set up honeypots and discovered that the following vulnerabilities are being actively searched for and exploited:
• CVE-2010-5326
• CVE-2018-2380
• CVE-2016-3976
• CVE-2016-9563
• CVE-2020-6287
• CVE-2020-6207

The following is a list of SAP and Onapsis’ recommendations from their report:

  • Perform an immediate compromise evaluation on SAP applications that are still vulnerable to the vulnerabilities described here, or that were not patched as soon as the related SAP security patches were released—internet-facing SAP applications should be prioritised.
  • Assess all SAP applications for risk right away, and add all appropriate SAP security patches and stable configurations right away.
  • Assess SAP applications for misconfigured and/or unauthorised high-privilege users right away, and conduct a compromise evaluation on at-risk applications.
  • If the evaluated SAP applications are currently exposed and mitigations are not possible to enforce in a timely manner, compensating controls should be enforced and activity monitored to detect any potential threat activity before mitigations can be implemented.

“Furthermore, risk, cybersecurity and SAP leaders should implement a specific mission-critical application protection program as part of their overall cybersecurity and compliance strategy to protect these applications effectively and comprehensively.” concludes the report.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.