SAP is warning CISOs that threat actors are hunting for unpatched versions of the company’s enterprise resource and supply chain management platform.
In a threat intelligence report* released Tuesday, SAP and Onapsis, a partner that sells security solutions for SAP and other platforms, noted the patches addressing the exploit have been available in some cases for years. [*registration required]
“Unfortunately, both SAP and Onapsis continue to observe many organizations that have still not applied the proper mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet,” the report indicated. “Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action.”
The report outlines how security teams can assess if an application is at risk and which actions to take immediately to protect the enterprise.
The report also included these findings:
- Onapsis researchers found evidence of 300-plus automated exploitations leveraging seven SAP-specific attack vectors and 100-plus hands-on-keyboard sessions from a wide range of threat actors.
- Critical SAP vulnerabilities are being weaponized in less than 72 hours of a patch release,. New unprotected SAP applications provisioned in cloud (IaaS) environments are being discovered and compromised in less than three hours.
- Exploitation could lead to full control of unsecured SAP applications, bypassing common security and compliance controls, enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations. Threats may also have significant regulatory compliance implications, including SOX, GDPR, CCPA and others.
Six of the issues spotted are listed in the CVE common vulnerability database. The seventh is brute-forcing attempts using specific, unsecured high-privilege SAP user account
“These unsecured configuration settings that were used to attempt to log into the business applications were amongst the user accounts that are traditionally installed on an SAP environment during deployment and configuration,” according to the report. “Despite SAP having developed and released broad documentation (Administration: User Management and Security) about this matter years ago, their permissions and how to change the default passwords, Onapsis continues to observe a high number of organizations running SAP applications configured with high-privilege users with default and/or weak passwords.”
The report urges infosec teams to make sure the latest patches have been installed on all SAP applications. A compromise assessment should be immediately performed on applications that haven’t been patched. Internet-facing SAP applications should be prioritized.
Also there should be an immediate assessment of SAP applications for the existence of misconfigured and/or unauthorized high privilege users and perform a compromise assessment on at-risk applications.
If assessed SAP applications are exposed and mitigations cannot be applied promptly, compensating controls should be deployed and actively monitored to detect any potential threat activity until such mitigations are implemented.
The report notes that 92 per cent of the Fortune 2000 companies use SAP products, including 18 of the world’s 20 major vaccine producers. Sixty-four per cent of SAP’s large enterprise sector customers are considered part of the critical infrastructure, as defined by the U.S. Department of Homeland Security.