SAP applications are getting compromised by skilled attackers

Newly provisioned, unprotected SAP applications in cloud environments are getting discovered and compromised in mere hours, Onapsis researchers have found, and vulnerabilities affecting them are being weaponized in less than 72 hours after SAP releases security patches.

SAP applications compromised

Internet-exposed systems are more likely to be exploited and compromised, but there are also threats out there that are equipped to compromise SAP systems from the inside, they noted. The attackers can then move to steal or modify data and disrupt critical business operations.

SAP applications critical to businesses

SAP applications power mission-critical operations at more than 400,000 organizations globally – organizations in essential industries such as food distribution, medical device manufacturing, pharmaceuticals, critical infrastructure, government and defense, and so on.

SAP applications support critical operations/processes such as enterprise resource planning, supply chain and product lifecycle management, human capital and customer relationship management, and others, and contain a treasure trove of sensitive (customer, employee, supplier and company) data.

If that data is accesses or changed by unauthorized persons, the companies risk not only losing that data, but also falling afoul of various data privacy, financial reporting and industry-specific regulation.

SAP applications compromised via known vulnerabilities

Since mid-2020, Onapsis researchers have recorded more than thousands of exploitation events and 300 successful exploit attempts on unprotected SAP instances. Some attacks were automated and some involved attackers sitting at their keyboards, but most aimed to exploit known issues and weaknesses.

These include six vulnerabilities (CVE-2020-6287, CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976, CVE-2010-5326) and a security weakness: unsecured configuration settings used by attackers to attempt to brute-force the passwords of high-privilege user accounts (SAP, SAPCPIC, TMSADM, CTB_ADMIN) that are usually installed on an SAP environment during deployment and configuration.

The vulnerabilities – some dating back to 2011 and some discovered only last lear – have all been patched by SAP, and the company provides instruction on how to change the default passwords of high-privilege user accounts, but according to Onapsis, there’s still a high number of organizations running SAP applications configured with high-privilege users with default and/or weak passwords.

The attackers’ tactics, techniques and procedures

The attackers:

  • Perform reconnaissance by scanning for SAP-specific ports and SAP vulnerabilities (using scripts and tools derived from publicly available information)
  • Achieve initial access by exploiting the aforementioned vulnerabilities on public-facing apps
  • Achieve persistence by dropping web shells
  • Concatenate several of the aforementioned vulnerabilities to escalate their privileges on the underlying OS
  • Use vulnerabilities for creating high-privilege accounts at the application level or brute-forcing for discovering credentials that allow high-privilege access
  • Explore the accessed applications

Once they successfully compromise a SAP application, threat actors have also been spotted applying documented mitigations to prevent further exploitation of the same vulnerabilities by other attackers.

Some vulnerabilities are used by attackers to move laterally and compromise additional systems additionally to the initially exploited system. Though, as the researchers noted, “with remote access to SAP systems and mission-critical applications, the need for lateral movement is nearly eliminated, enabling attackers to reach and exfiltrate business-critical data more quickly.”

Speedy compromise

Attackers are quick to probe and attempt to compromise newly provisioned cloud-based SAP applications: it sometimes takes them three hours, but on average, under one week.

They are also quick to create and use functional exploits for newly patched vulnerabilities, often times succeeding in less than 72 hours since the release of patches.

But, while most of the observed threat activity is related to the use of publicly-available exploits released following SAP patches, Onapsis researchers says that some threat actors are using custom/private exploits not available in the public domain.

The company says that their analysis proves how critical it is to quickly apply relevant SAP security patches and secure configurations (or compensating controls if those can’t be applied in a timely manner), check SAP applications for misconfigured and unauthorized high-privilege users, and implement a specific mission-critical application protection program.

Those organizations that know they have been lax in applying patches should use available IoCs and tools to check for compromise.

“If an attacker is able to gain access to an unprotected SAP system by exploiting a vulnerable internet-facing application or executing an attack from inside the organization on insecure systems, the business impact could be critical,” they added.

“In many scenarios, the attacker would be able to access the vulnerable SAP system with maximum privileges, bypassing all access and authorization controls. This means that the attacker could gain full control of the affected SAP system, its underlying business data and processes.”

Don't miss