Getty Images

CISA: SAP Vulnerabilities Under Active Attack, Poses Data Theft Risk

A report from Onapsis and CISA details an active campaign targeting unsecured SAP applications to gain control over affected devices, posing a risk of data theft or business disruptions.

An active cyberattack campaign was spotted in the wild, targeting systems running unpatched or misconfigured SAP systems. Threat actors are exploiting these vulnerabilities to gain full control of the applications, according to a Department of Homeland Security Cybersecurity and Infrastructure Security alert.

SAP applications are used by entities to manage critical business processes, including enterprise resource planning, supply chain management, and product lifecycle management, among similar tasks. Healthcare entities commonly use SAP cloud and mobile apps.

CISA coordinated with security firm Onapsis and released a related report to shed light on the critical threat, including insights to defend against the attacks. According to the report, the apps are used by more than 400,000 entities -- with the vast majority in pharmaceutical and critical infrastructure sectors.

Threat actors are scanning for unsecured SAP applications to target, identify, and compromise those entities. The flaws include unsecured high-privilege SAP user accounts, along with previously reported flaws: CVE-2020-6287, CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976, and CVE-2010-5326.

Successful exploits can give hackers complete control over the impacted device, which can allow for data theft, financial fraud, business interruptions, ransomware attacks, and even cease all business operations.

“Threat actors have the motivation, means and expertise to identify and exploit unprotected mission-critical SAP applications, and are actively doing so,” researchers wrote.

“While SAP issues monthly patches and provides best practices for configuring systems, it is ultimately the responsibility of the customer or their service provider to apply mitigations in a timely manner and properly configure systems to keep critical business processes and data protected and in compliance,” they added.

The critical weaknesses targeted in this recent campaign were promptly patched by SAP, with some software updates available to entities for months and even years. In fact, CISA warned about one of the flaws in 2016

At that time, threat actors were targeting outdated or misconfigured SAP applications related to the Invoker Servlet, a built-in function of the SAP NetWeaver Application Server Java systems. The patch for the flaw was released by SAP eleven years ago, in 2010.

However, Onapsis and SAP continue to find that many entities have still not applied proper mitigations, “allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.”

Specifically, the hackers behind the campaign have the domain expertise to carry out highly sophisticated attacks on mission-critical SAP applications. The attacks directly target sensitive data and critical processes.

The researchers observed more than 300 successful exploits against these vulnerabilities. During these attacks, the threat actors accessed the system to modify configurations and users, as well as to exfiltrate information tied to the organization.

Further, in some instances, the attacks began just 72 hours after a patch release. Meanwhile, newly unprotected SAP applications in cloud environments were found and attacked in less than three hours.

The attackers also made multiple brute-force attempts against high-privilege SAP user accounts, along with several attacks that chained multiple vulnerabilities against the applications.

Internet-exposed systems are more likely to be exploited in this campaign. But the researchers also observed threats tied to the compromise of SAP systems from inside the network, in previous attacks.

“Unpatched and misconfigured SAP systems present a deficiency in IT controls that would result in audit and compliance violations and penalties,” researchers explained. 

“With remote access to SAP systems and mission-critical applications, the need for lateral movement is nearly eliminated, enabling attackers to reach and exfiltrate business-critical data more quickly,” they added.

The threats highlight the need for enterprise administrators to maintain secure system configurations and monitor the applications for drift. These practices must be combined with patch management to keep systems secure.

Diligent and rapid patch management is a requirement, or other relevant mitigations for when timely patching is not an option, to prevent an exploit from this campaign. Administrators should also move to ensure mission-critical applications are securely provisioned from the moment they’re first connected to the enterprise network.

Healthcare entities should review the Onapsis guidance to find insights on the attack activity and details into the vulnerabilities, as well as detection and investigation steps. In light of recent, mass vulnerability exploits across all sectors, vulnerability management should be a key priority for these critical infrastructure organizations.

Next Steps

Dig Deeper on Cybersecurity strategies