Cyber-attackers are actively exploiting known security vulnerabilities in widely deployed, mission-critical SAP applications, allowing for full takeover & the ability to infest an organisation further.
Active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications, researchers are warning.
Adversaries are carrying out a range of attacks, according to an alert from SAP & security firm Onapsis issued Tues. – including theft of sensitive data, financial fraud, disruption of mission-critical business processes & other operational disruptions, & delivery of ransomware & other malware.
Critical Business Processes
SAP applications help organisations manage critical business processes – including enterprise resource planning (ERP), product lifecycle management, customer relationship management (CRM) & supply-chain management.
From mid-2020 until now, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances.
Who is at Risk?
The ongoing attacks could have far-reaching consequences, SAP noted in the warning:
“These are the applications that 92% of the Forbes Global 2000 have standardised on SAP to power their operations & fuel the global economy,” the alert noted. “With more than 400,000 organisations using SAP, 77% of the world’s transactional revenue touches an SAP system. These organisations include the vast majority of pharmaceutical, critical infrastructure & utility companies, food distributors, defence & many more.”
Government agencies should take particular notice of the spate of attacks, researchers commented.
“SAP systems are a prominent attack vector for bad actors,” Kevin Dunne, President at Pathlock, outlined.
“Most US Federal Agencies are running on SAP, as it has become the industry standard for govt. entities. However, these SAP implementations are often on-premises, & managed by the government entities themselves due to security concerns. These systems then become increasingly vulnerable when updates & patches are not applied in a timely fashion, leaving them wide open for interested hackers.”
The technology sector is another hot target for attacks, according to Setu Kulkarni, VP of Strategy at White Hat Security.
“Our reporting has found that independent software vendors (ISVs) & technology companies have & inordinately high window of exposure,” he explained. “We are seeing that ISVs & technology companies are lacking in their security rigor as they ultimately may pass on the security responsibilities to the companies that use the ISV to build products for their customers.”
The attacks are brute-forcing high-privilege SAP user accounts, as well as exploiting a number of known bugs: CVE-2020-6287, CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976 & CVE-2010-5326, according to the warning.
The adversaries are “advanced threat actors,” according to Onapsis, as evidenced by how quickly they have been able to develop exploits, among other things.
There is “conclusive evidence that cyber-attackers are actively targeting & exploiting unsecured SAP applications, through a varied set of techniques, tools & procedures & clear indications of sophisticated knowledge of mission-critical applications,”
The alert reads. “The window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponised in less than 72 hours since the release of patches, & new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered & compromised in less than 3 hours.”
The issues are as follows:
- CVE-2020-6287 is a critical authentication bypass issue in SAP NetWeaver Application Server Java allowing full account takeover;
- CVE-2020-6207 is another critical authentication bypass bug, in SAP Solution Manager;
- CVE-2018-2380 is a medium-severity flaw in SAP CRM, which allows an attacker to exploit insufficient validation of path information provided by users;
- CVE-2016-9563 is also a medium-severity bug, this time in SAP NetWeaver AS Java. Remote authenticated users can exploit it to conduct XML External Entity (XXE) attacks, which allow them to interfere with XML processing;
- CVE-2016-3976 is a high-severity directory traversal vulnerability in SAP NetWeaver AS Java that allows remote attackers to read arbitrary files;
- And CVE-2010-5326 is an 11-year-old critical issue in the Invoker Servlet on SAP NetWeaver AS Java. It does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request.
After initial access, Onapsis saw threat players using the vulnerabilities to establish persistence, for privilege escalation, evasion &, ultimately, complete control of SAP systems, including financial, human capital management & supply-chain applications.
“Additionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications,” states the analysis.
For example, Onapsis said that 1 actor was able to scan & create an admin user utilising an exploit utility for CVE-2020-6287. Upon successfully creating the profile & logging in, additional exploits were used against CVE-2018-2380 for shell upload, as the attackers tried to access the operating system layer.
Following that, exploits for CVE-2016-3976 were executed, targeting the download of a “credential store,” which provides access to logins for high-privileged accounts & the core database. Worryingly, this all happened within 90 minutes, said Onapsis.
The cyber-attackers in some cases are patching the exploited vulnerabilities after they have gained access to a victim’s environment, Onapsis suggested.
“This action illustrates the threat actors’ advanced domain knowledge of SAP applications, access to the manufacturer’s patches and their ability to reconfigure these systems,” according to the firm. “This technique is often used by threat actors to deploy backdoors on seemingly patched systems to maintain persistence or to evade detection.”
Who’s Behind This?
The activity is being mounted by multiple groups, who appear to be engaged in coordinated activity across vast swathes of infrastructure, according to the alert.
“Attackers are triggering exploitation from different source systems from the ones used to perform subsequent manual logins were detected, indicating the possibility of coordinated groups and/or actors leveraging wide-spread attack infrastructure,” it reads.
“While this behaviour is common when analysing operating system & network-based attacks, this data provides evidence that the same approach is also used when targeting mission-critical applications, as these actors use TOR nodes and distributed VPS infrastructures to launch the attacks & escalate privileges.”
The activity is originating worldwide, including Hong Kong, India, Japan, the Netherlands, Singapore, South Korea, Sweden, Taiwan, the US, Vietnam & Yemen.
How to Prevent an Attack?
The best way to defeat these kinds of attacks is to patch the vulnerabilities. Also, any web-facing accounts should have unique passwords to disallow automated brute-force attempts to break in; & any systems that do not need to face the public web should be taken offline.
“All observed exploited critical weaknesses have been promptly patched by SAP & have been available to customers for months & years in some cases,” the alert noted. “Unfortunately, both SAP & Onapsis continue to observe many organisations that have still not applied the proper mitigations…allowing unprotected SAP systems to continue to operate &, in many cases, remain visible to attackers via the internet.”
Also, although applying security patches in a timely way is critical to closing down the risk from major, known vulnerabilities, Pathlock’s Dunne pointed out that patching can only remedy issues that have been identified. With cyber-attackers patching the bugs behind them, there also needs to be a way to detect malicious activity.
“For a comprehensive, forward looking approach to SAP security, organisations need to implement a comprehensive solution to monitor user activities within the system, including interactions with sensitive data,” he outlined.
“This way, even attackers that are able to breach SAP systems by known or unknown vulnerabilities can still be identified & their damage can be mitigated in real-time.”