Security Alert | SAP Vulnerabilities Under Active Attack
SAP and Onapsis security researchers have released a threat intelligence report detailing the active exploitation of critical SAP application vulnerabilities. Multiple “advanced threat actors” are carrying out a range of attacks with techniques that could lead to full control of unsecured applications. Affected organizations may experience:
- Theft of sensitive data
- Financial fraud
- Disruption of mission-critical business processes
- Halted operations
Attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access have been observed, expanding the potential impact beyond SAP systems and applications. In some cases, attackers are patching exploited vulnerabilities after accessing a victim’s environment, a technique often used to deploy backdoors on seemingly patched systems to evade detection and maintain persistence.
Who Is at Risk?
The vulnerabilities being exploited are known, and patches have been available for months. However, many organizations have still not applied the relevant mitigations, allowing unprotected SAP systems to remain visible to attackers via the internet.
Any SAP customer that has not yet addressed these vulnerabilities is at risk and—as the report points out—the consequences could be far-reaching:
“These are the applications that 92% of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy. With more than 400,000 organizations using SAP, 77% of the world’s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more.”
What You Can Do
- Conduct a thorough review of your SAP landscape and apply the relevant security patches.
- Download the Threat Intelligence Report for details of the vulnerabilities/CVEs, the specific tactics, techniques and procedures (TTPs) threat groups are using, and detailed mitigation information.
- Perform a compromise assessment and forensic investigation of at-risk environments.
- Attend a live Q&A session on April 8 or April 12 with SAP CISO Richard Puckett.
- Contact us. We can help you evaluate your environment, detect malicious activity, and remediate any weaknesses that could result in compromise.