A general view of the headquarters of SAP AG in Walldorf, Germany. (Photo by Thomas Lohnes/Getty Images)
Multiple hackers are actively targeting SAP installations that have not updated in nearly a year or use poor account management. The warning, which came from the Department of Homeland Security, SAP and Onapsis, is based on research documenting activity in the wild.
We want to really send a strong message to our customers around better managing the security of their systems, where they have not,” said Tim McKnight, SAP chief security officer, in a briefing for reporters. “These are patched systems, these are things that have already been fixed. But we’re concerned about customers that have not applied the fixes for months or years to date.”
The vulnerabilities noted in the research, which came from Onapsis, were patched or otherwise flagged by SAP in the past. However, they are still very much a part of hackers’ arsenal. The Onapsis study ran from mid-2020 until this month, with visibility on a limited number of SAP installations and observed around 300 attempts to breach systems.
SAP is among the most popular software providers in the world. By the company’s count, 92% of the Forbes Global 2000 use SAP, 91% of utilities in the Global 2000, 82% of total medical devices, 78% of global food distribution and 44 militaries. Even though Onapsis and SAP do not believe failure to patch or mitigate known problems is widespread, the company’s base is so large – 400,000 clients – that even a small percentage of unsecured systems could create large problems.
“An important point is that we’re not talking about a vulnerability or a misconfiguration being exploited,” said Onapsis CEO Mariano Nunez at the briefing, emphasizing the “a” each time. “We’re talking about seven different threat vectors that we see being used by malicious parties in going specifically after SAP applications.”
“We’re not talking about kind of a lone wolf that was going after SAP unprotected SAP systems, we’re not talking about a public exploit that was leveraged in mass exploitation, we’re talking about threat actors with great capability in terms of SAP mission-critical application attacks,” he added.
Onapsis sees two main types of activity being widely attempted: chains of or individual patched vulnerabilities and misconfigurations. The misconfigurations include brute force attacks on unchanged default account names to gain application-level access. SAP warned users to change those account names in 2018. Hackers also used CVE-2020-6287 and CVE-2016-3976 to obtain the same degree of access. From there, hackers could use CVE-2018-2380 or CVE-2016-9563 to provide operating-system-level access.
Two-thirds of the breach attempts to use CVE-2010-5326 to obtain operating system level access. And two different vulnerabilities provided access to lateral servers – CVE-2020-6207 and CVE-2016-3976.
One finding of the study is that network defense professionals may have less time to patch after the release of a patch than they think. Onapsis saw scanning for the most recently patched vulnerability, CVE-2020-6207, nearly three months before an exploit was released.
“We essentially saw SAP exploits being actively scanned within 72 hours, for example, after an SAP patch being available,” said Nunez.
Onapsis observed attackers patching systems after installing backdoors to create the illusion of systems immune to their specific attack.
Due to the nature of the targets selected for attack, Onapsis believes it was likely criminals and not nation states attempting breaches.
Onapsis and SAP jointly recommend that SAP customers assess all systems that were not promptly patched, look for unauthorized high-privilege users and assess applications in the SAP environment for risk.
“We do feel like it’s prudent to just notify customers again if they’ve left such a long window of time open with unpatched systems, which is a possibility. We want them to be aware of what could be the art of the possible in terms of potential exploit exploitation or compromise,” said SAP’s Chief Information Security Officer Richard Puckett.