Multiple Threat Groups Exploit Vulnerabilities in Mission Critical SAP Systems

Security company Onapsis researchers have noticed cybercriminals taking advantage of several vulnerabilities identified in mission-critical SAP systems. As of mid-2020, over 300 detected attacks were taking advantage of at least one of six unpatched vulnerabilities.

Cybercriminals are hight targeting vulnerabilities in SAP systems because of the extensive usage of SAP systems. SAP states that 92% of the Forbes Global 2000 which include nearly all pharmaceutical companies, critical infrastructure and utility corporations, food suppliers, defense companies and others utilize SAP for their operations. More than 400,000 companies utilize SAP internationally and 77% of the world’s transactional income goes through a SAP system.

Onapsis accounts that critical SAP vulnerabilities are usually weaponized in 72 hours after releasing patches. UnsecuredUnsecured SAP programs in cloud environments are frequently identified and breached in under 3 hours. Inspite of the danger of exploitation, a lot of companies do not apply patches immediately. One of the vulnerabilities that is breached is 11 years old, although the others were patched immediately by SAP and the patches were accessible for months.

The seriousness of the vulnerabilities and the number of threat groups targeting them has made the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to publish an advisory to all SAP customers regarding the risk of attack, subsequent to the synchronized publishing of a report by Onapsis/SAP.

Attackers can exploit the six vulnerabilities, which are critical and medium-severity vulnerabilities, on their own or collectively to gain access to systems and exfiltrate sensitive data, execute financial scam, interrupt mission-critical systems, install malware and ransomware, and seize complete handle of insecure SAP systems. Chaining the vulnerabilities together could give attackers OS-level access, that can enable the extension of the attack further than vulnerable SAP systems. Onapsis experts noticed one attack in which an attacker combined three of the vulnerabilities and in just 90 minutes was able to download a list of credential logins for high-privileged accounts and the central database, causing a total system breach.

Here are the six SAP vulnerabilities:

  • CVE-2020-6207 – Authentication bypass problem in SAP Solution Manager – Permits complete takeover of insecure SAP systems.
  • CVE-2020-6287 – Authentication bypass problem in SAP NetWeaver Application Server Java – Permits complete takeover of insecure SAP systems.
  • CVE-2018-2380 – Inadequate validation of path data problem in SAP CRM – Permits database access and horizontal system movement.
  • CVE-2016-3976 – Directory traversal defect in SAP NetWeaver AS Java – Permits access of arbitrary files.
  • CVE-2016-9563 – Vulnerability in SAP NetWeaver AS Java utilized for XML External Entity (XXE) – Permits DoS attacks and stealing of sensitive data.
  • CVE-2010-5326 – Vulnerability in the Invoker Servlet on SAP NetWeaver AS Java – Permits arbitrary code implementation through HTTP/HTTPS requests.

Multiple threat actors are conducting the attacks from a variety of countries, such as Hong Kong, Japan, India, Netherlands, South Korea, Singapore, Sweden, United States, Taiwan, Yemen and Vietnam. The attackers seem to have sophisticated domain knowledge of SAP systems, patch access, and the capability to rewire systems. Sometimes, the attackers take advantage of the vulnerabilities, set up backdoors for persistence, then fixed the vulnerabilities as well.

According to Onapsis, SAP immediately fixed all of the critical vulnerabilities noticed being taken advantage of. However, SAP and Onapsis still see a lot of companies that have not employed the appropriate mitigations, permitting the operation of insecure SAP systems, and, most of the time, stay open to attackers online.

Patches ought to be used right away to avoid exploitation of vulnerabilities. When updated to a safe SAP version, a compromise assessment must be done to know whether systems were already compromised. Whenever SAP releases upcoming patches and software updates, they must be used in 72 hours. In case that’s not feasible, mitigations ought to be applied to minimize the chance of exploitation. More information can be found in the report of Onapsis.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone