The News: The SAP cyberattack currently underway exploits known security vulnerabilities in SAP applications that are widely deployed. These vulnerabilities could potentially lead to a takeover of unsecured SAP applications. SAP systems running outdated or misconfigured software are exposed to this malicious activity currently underway. Read the CISA alert here.
SAP Cyberattack Currently Underway Exploits Known Security Vulnerabilities
Analyst Take: The SAP cyberattack is a matter of threat actors actively targeting and exploiting unprotected SAP applications with attacks that are not only sophisticated, but also automated. Suffice it to say the business impact if an attacker is able to gain access to an unprotected SAP system by exploiting an unsecure system, bypassing all access controls and authorization controls, is significant and this threat, one of the highest level.
To say that SAP software is one of the most widely used the world over is no understatement. SAP software is used in more than 400,000 organizations around the world, its customers include 72% of the Forbes Global 2000, 77% of the world’s transaction revenue touches an SAP system, and 64% of SAP’s large enterprise sector customers are considered part of the critical infrastructure. SAP’s customers are in retail, pharma, supply chain application, human capital management, banking and finance, healthcare, distribution, manufacturing, utilities, military and defense, government organizations and beyond. They are in every sector, in every vertical, and widely used.
Applications targeted include, but aren’t limited to, enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM, customer relationship management (CRM) and others.
SAP — or any Brand — Can Only Do So Much, IT Teams Must Step Up, and Quickly
The challenge here is that while a company can be constantly vigilant and proactive on the security front, working constantly to identify vulnerabilities and bugs and issuing patches and mitigations, they cannot force its customers to take action. And therein lies the problem.
In this instance, SAP, working with security firm Onapsis from mid-2020 to early April 2021, identified more than 300 successful exploit attempts on unprotected SAP instances. This activity was related to insecure/incorrect configurations and multiple vulnerabilities. As each vulnerability was discovered, patches were issued by SAP and customers advised to update their systems.
Unprotected systems continue to operate and, most alarmingly, these unprotected systems appear to be easily visible to threat actors and they are moving quickly to capitalize on the opportunities this presents. Of additional concern, Onapsis researchers not only identified evidence of attacks against known weaknesses in application-specific security configurations, which also includes the use of brute-forcing high-privilege SAP user accounts. What this means for organizations is that the risk, and potential impact can potentially extend well beyond simply SAP systems and apps.
Here’s a look at just how quickly the process of vulnerability discovery to threat actor exploit happens. In this one example, a patch was released on July 14, 2020, followed by a proof-of-concept exploit on July 15, 2020. Mass scanning was detected by threat actors on July 16, 2020, and a fully functional public exploit released within 24 hours, on July 17, 2020.
The Risk to the Business as a Result of Outdated or Misconfigured SAP System Vulnerabilities
The risk to the business as a result of threat actors exploiting these outdated or misconfigured SAP system vulnerabilities is significant. This includes threat actors potentially having administrative level access to the organization’s system, with the ability to:
- Perform unrestricted actions through OS command execution
- Disrupt critical business operations (think supply chain) by corrupting data, shutting processes down, or deploying ransomware
- Reading, modifying, or deleting financial records
- Administer and take over purchasing processes
- Steal personally identifiable information from employees, customers, and suppliers
- Delete or modify traces, logs, and other files
There may also be significant compliance and regulatory risk for the business caused as a result of a system breach by threat actors, involving GDPR or CCCA data privacy laws, industry-specific regulations like PCI-PSS or NERC CIP, and financial reporting compliance issues.
What Organizations Running SAP Systems Should Immediately Do
If not yet abundantly clear, time is of the essence as it relates to resolving these security vulnerabilities. Given the wide-spread and urgent nature of the ongoing threat, the active and automated pursuit by threat actors of companies running outdated or misconfigured SAP software, and the very real threats this poses, immediate action is warranted. That means performing a compromise assessment and a forensic examination of all at-risk environments, along with a thorough review of all security configurations for SAP landscapes.
Once that is accomplished and immediate threats discovered and mitigated, it’s time to step back and review the organization’s existing cybersecurity plan for protecting all mission critical applications. With massive migration to the cloud underway and more of that moving forward, the biggest cybersecurity challenge to organizations is understanding that it’s no longer enough to simply focus on endpoint and perimeter defenses and moreover, that determining exactly where perimeters begin and end is no small challenge. Bigger attack surfaces mean greater opportunities for threat actors, and they are moving quickly to take advantage.
If you are unsure whether your SAP applications are at risk as a result of this ongoing cyberattack, make time to immediately identify your most critical and at-risk applications and evaluate your exposure. I noted while researching this article that Onapsis offers a free rapid risk assessment that will include a report that will be shared with you. In fact, even if you think your SAP applications are updated and that your organization is risk free, there is every reason to take advantage of this offer from Onapsis and make sure. You can access the Onapsis Free Rapid Assessment here.
Also, if you’d like more information on this ongoing threat, tune in to a live Q&A session featuring Richard Puckett, SAP’s CISO and Mariano Nunez, Opapsis’s CEO to discuss the situation in real time and to talk about what you can do to protect your organization right now from these active cyberattacks on mission-critical SAP applications. Again, it’s kind of a no-brainer to make time for this. You’ll find a link to register for this Q&A session here.
With that, I’ll advise you to go forth and be safe — and assume nothing until you’re certain. And while we’re on the topic of cybersecurity, if you’d like a look at our recently published deep dive into the topic of Confidential Computing, which while in its nascent stages is something you’re going to be hearing more about, and if you’re a CISO or senior leader, definitely something you want to be aware of and exploring as it relates to cybersecurity and technology solutions for your organization. You’ll find that report here: The Rise of Confidential Computing — Trust: The New Battlefield in the Age of Digital Transformation.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.