A joint report by SAP and Onapsis warns that cyber attackers are actively exploited known SAP security vulnerabilities to steal information and compromise mission-critical SAP applications.
SAP and Onapsis researchers warned that threat actors could leverage faults in unsecured SAP applications exposed to the Internet to commit financial fraud, deploy ransomware, or disrupt business operations.
CISA had also warned organizations running unpatched SAP business applications of potential cyber attacks.
Hackers exploit SAP security vulnerabilities to bypass compliance control and commit fraud
Onapsis said attackers could exploit SAP security vulnerabilities to take full control of SAP business applications and commit financial fraud.
“Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,” the report says.
According to the joint report, criminals frequently targeted supply chain management (SCM), customer relationship management (CRM), enterprise resource planning (ERP), human capital management (HCM), and product lifecycle management (PLM) solutions. However, other unpatched SAP systems affected by known security vulnerabilities were also at risk of exploitation by advanced threat actors.
Weaponization of SAP critical vulnerabilities rampant while a cyber attack succeeds in record time
Onapsis says that over 300 exploits were successful for every 1,500 cyber attacks recorded between mid-2020 and March 2021. The earliest cyber attack was recorded within 72 hours after SAP released patches.
Additionally, unpatched SAP applications deployed to cloud environments were discovered and exploited in less than three hours. Similarly, a targeted cyber attack could compromise an account within 90 minutes.
Attackers also brute-forced high-privilege applications and chained several vulnerabilities to compromise SAP applications plagued by known security vulnerabilities.
Sophisticated attackers utilized various techniques, tools, and procedures (TTPs) to gain initial access, install web shells, and escalate privileges for remote code execution. A typical cyber attack was delivered through various TOR nodes and virtual private servers distributed in various regions.
Onapsis says it could trace malicious activity targeting critical vulnerability CVE-2020-6207 before October 19, 2020, indicating that threat actors knew of the existing SAP security vulnerability before public disclosure and the release of proof-of-concept (PoC) code.
In one instance, SAP observed a mass scanning activity on July 16, 2020, and full functional exploit code on July 17 after releasing a CVE-2020-6287 patch on July 14.
SAP critical security vulnerabilities targeted by sophisticated threat actors
CVE-2020-6287, also known as Remotely Exploitable Code On NetWeaver (RECON), exists in the LM Configuration Wizard component. It has a CVSS score of 10.0 and gives an unauthenticated attacker privileged access to vulnerable SAP systems. An attacker could corrupt data, steal personally identifiable information (PII), manipulate financial records, delete or modify application logs and traces, putting business operations and regulatory compliance at risk.
One cyber attack observed in the wild chained SAP security vulnerability CVE-2020-6287 to create SAP user admin account and login, CVE-2018-2380 for privilege escalation, and CVE-2016-3976 for database and admin account access.
Onapsis CEO Mariano Nunez said that organizations that had not applied various mitigations should consider themselves already compromised and proceed to mitigation efforts.
“Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes,” Nunes lamented.