SAP and Onapsis have collaborated on a cyber threat intelligence study that details how malicious threat actors approach and potentially manipulate unprotected mission-critical SAP applications.
The companies collaborated closely with the Cybersecurity and Infrastructure Protection Agency (CISA) of the US Department of Homeland Security (DHS) and the Federal Cybersecurity Authority (BSI) of Germany, recommending organisations to apply long-available SAP patches and stable configurations, as well as conduct compromise assessments on sensitive environments.
There have been no reported consumer violations specifically related to this study, according to SAP and Onapsis. There are no new vulnerabilities in SAP cloud software as a service or SAP’s own corporate IT infrastructure listed in the study. Both organisations, however, point out that many organisations have yet to implement relevant SAP mitigations that have been available for some time. Customers who fail to take these precautions and continue to use unprotected SAP applications put themselves and their businesses at risk.
The cyber threat information gathered by Onapsis and SAP reveals active threat activity aimed at compromising organisations using unprotected SAP applications through various cyberattack vectors. Exploitation techniques uncovered would give hackers complete control of unsecured SAP systems, bypassing common security and enforcement controls and allowing them to steal confidential data, commit financial fraud, or disrupt mission-critical business processes by installing ransomware or shutting down operations. Organizations that have not adequately protected their environments could face regulatory compliance issues as a result of these cyber threats.
Commenting on the development, Tim McKnight, Chief Security Officer, SAP, said “This proactive research effort is the latest example of our commitment to ensure our global customers remain protected,”
He added “We’re releasing the research Onapsis has shared with SAP as part of our commitment to help our customers ensure their mission-critical applications are protected. This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments and proactively assessing them for signs of compromise.”
Customers’ SAP product implementations within their own data centres, managed colocation environments, or customer-managed cloud infrastructures are all affected by these particular vulnerabilities. None of the flaws have been found in SAP’s cloud solutions.
Mariano Nunez, CEO and cofounder of Onapsis said that “As an SAP partner for cybersecurity and compliance, we have observed firsthand the outstanding improvements SAP has made in the recent years to develop more secure software, patch critical vulnerabilities faster and overall proactively ensure SAP customers are secure,”
He added “The critical findings noted in our report describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years. Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes. Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action.”