Hackers Exploiting SAP Vulnerabilities

Active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications, according to a report issued by SAP and cyber threat research company Onapsis. The security flaws with CVSS severity scores of up to 10, the highest possible, are being weaponized.

On April 6, Onapsis and SAP released a new threat intelligence report to help SAP customers protect from active cyber threats seeking to specifically target, identify and compromise organizations running unprotected SAP applications, through a variety of cyberattack vectors.

SAP applications are used by an estimated 400,000 enterprise organizations worldwide. Although SAP is not aware of any direct customer-related breaches due to these activities, both the vendor and Onapsis say that there were at least 1,500 SAP application-related attack attempts tracked between June 2020 and March 2021, and as a minimum 300 were successful.

The report says, SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.

SAP applications help organizations manage critical business processes, such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management. 

Impacted Organizations Could Experience

  • Theft of sensitive data,
  • Financial fraud,
  • Disruption of mission-critical business processes,
  • Ransomware
  • Halt of all operations

Attacks Targeting Vulnerable SAP Apps

“Observed exploitation techniques would lead to full control of the unsecured SAP applications, bypassing common security and compliance controls, and enabling attackers to steal sensitive data, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,” Onapsis explained.

“With remote access to SAP systems and mission-critical applications, the need for lateral movement is nearly eliminated, enabling attackers to reach and exfiltrate business-critical data more quickly.”

Attacks Targetting Vulnerable SAP Apps

Vulnerabilities and Attack Methods used throughout this Ongoing Malicious Activity

  • Brute-force attacks targeting unsecured high-privilege SAP user account settings.
  • CVE-2020-6287 (aka RECON): a remotely exploitable pre-auth vulnerability that enables unauthenticated attackers to take over vulnerable SAP systems.
  • CVE-2020-6207: maximum severity pre-auth vulnerability that could also lead to the takeover of unpatched SAP systems (fully-working exploit was released in January 2021, on GitHub). Onapsis has seen a significant increase in exploit activity targeting this bug since the exploit was published, detecting 756 probes from 34 distinct IP addresses.
  • CVE-2018-2380: enables threat actors to escalate privileges and execute OS commands after exploitation, allowing them to gain access to the database and to move laterally across the network (34 incoming exploitation attempts from 10 distinct IPs were detected by Onapsis, with web shells being deployed after successful exploitation).
  • CVE-2016-95: attackers can exploit this bug to trigger denial-of-service (DoS) states and gain unauthorized access to sensitive information.
  • CVE-2016-3976: remote attackers can exploit it to escalate privileges and to read arbitrary files via directory traversal sequences, leading to unauthorized disclosure of information. Exploits that can be used to fully compromise unpatched and exposed SAP systems were publicly released in 2016.
  • CVE-2010-5326: allows unauthenticated threat actors to execute OS commands and access the SAP app and the connected database, thus gaining complete and unaudited control of the SAP business information and processes. (206 exploitation attempts detected since mid-2020, coming from 10 unique IP addresses)

Mitigation Measures

  • Immediately perform a compromise assessment on SAP applications that are still exposed to the vulnerabilities mentioned herein, or that have not been promptly secured upon the release of the relevant SAP security patches. Internet-facing SAP applications should be prioritized.
  • Immediately assess all applications in the SAP environment for risk, and immediately apply the relevant SAP security patches and secure configurations.
  • Immediately assess SAP applications for the existence of misconfigured and/or unauthorized high-privilege users and perform a compromise assessment on at-risk applications
  • If assessed SAP applications are currently exposed and mitigations cannot be applied promptly, compensating controls should be deployed and actively monitored to detect any potential threat activity until such mitigations are implemented.

Onapsis CEO Mariano Nunez says, “Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action.”

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.