Threat actors are deliberately exploiting established SAP security vulnerabilities to steal information and compromise mission-critical SAP applications, according to a joint study by SAP and Onapsis.
Threat actors may use flaws in unsecured SAP applications exposed to the Internet to commit financial fraud, deploy ransomware, or disrupt business operations, according to SAP and Onapsis researchers.
CISA had also issued a cyber-warning to companies using unpatched SAP business applications.
Threat actors take advantage of SAP security flaws to get around compliance controls and commit fraud
According to Onapsis, threat actors may use SAP security flaws to gain complete control of SAP business applications and commit financial fraud. The report says “Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,”
The threat actors targeted Supply Chain Management (SCM), customer relationship management (CRM), enterprise resource planning (ERP), human capital management (HCM), and product lifecycle management (PLM) solutions regularly, according to the joint study. Such unpatched SAP devices with established security vulnerabilities, on the other hand, were at risk of being exploited by advanced threat actors.
Weaponization of SAP
According to Onapsis, for every 1,500 cyber attacks reported between mid-2020 and March 2021, over 300 exploits were successful. Within 72 hours of SAP releasing updates, the first cyber attack was discovered.
In addition, in less than 3 hours, unpatched SAP applications deployed to cloud environments were discovered and exploited. A targeted cyber attack, on the other hand, could compromise an account in 90 minutes.
In order to hack SAP applications plagued by established security vulnerabilities, the threat actors brute-forced high-privilege applications and chained multiple vulnerabilities.
To gain initial access, instal web shells, and escalate privileges for remote code execution, sophisticated attackers used a variety of Techniques, Tools, and Procedures (TTPs). TOR nodes and virtual private servers were used to deliver a standard cyber attack across several regions.
Onapsis claims it was able to track malicious activity targeting critical vulnerability CVE-2020-6207 before October 19, 2020, suggesting that threat actors were aware of the SAP security flaw before it was publicly disclosed and proof-of-concept code was released.
After releasing a CVE-2020-6287 patch on July 14, SAP noticed mass scanning activity on July 16, 2020, and full functional exploit code on July 17, 2020.
SAP’s crucial security flaws are being exploited by advanced cybercriminals
The LM Configuration Wizard portion contains CVE-2020-6287, also known as Remotely Exploitable Code On NetWeaver (RECON). It has a CVSS score of 10.0 and allows an unauthenticated attacker to gain privileged access to SAP systems that are vulnerable.
Data may be corrupted, Personally Identifiable Information (PII) stolen, financial records manipulated, and application logs and traces deleted or modified, placing business operations and regulatory compliance at risk.
SAP security vulnerability CVE-2020-6287 was used to build SAP user admin account and password, CVE-2018-2380 for privilege escalation, and CVE-2016-3976 for database and admin account access in one wild cyber attack.
Mariano Nunez, CEO of Onapsis, stated that organisations that have not implemented various mitigations should consider themselves compromised and begin mitigation efforts.
Nunes lamented “Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes,”