Don’t be a sap, says SAP, actually patch these vulnerabilities

By Robert Scammell

SAP is urging organisations to implement security patches across its suite of enterprise software to protect against vulnerabilities that are being actively exploited by cybercriminals. The warning comes as businesses across multiple industries risk falling victim to hack attacks because of their unpatched solutions.

The German multinational software company released a joint report with security firm Onapsis on Tuesday warning that SAP enterprise resource planning, supply chain systems and customer relationship management software are being targeted.

The SAP fixes have been available for months and in some cases years, but the two companies say many organisations are yet to install critical security fixes.

Between June 2020 and March 2021 Onapsis researchers tracked 1,500 attempted attacks that exploited SAP vulnerabilities. At least 300 of these were successful. The attacks are being launched by multiple groups around the world, the researchers noted.

Some of the security vulnerabilities give malicious hackers full takeover of company systems. This could lead to data theft, fraud and business disruption. Unpatched systems are also at increased risk to malware infections, such as file-locking ransomware.

More than 400,00 businesses globally use SAP software, including 92% of Forbes Global 2000 companies. Its solutions are used across a range of industry verticals, which means unpatched vulnerabilities could be used to target companies ranging from logistics to fintech.

The potential risk triggered the US Cybersecurity and Infrastructure Security Agency to publish its own alert on Tuesday, recommending that organisations “apply necessary updates and mitigations”.

Onapsis said it had observed some cyberattackers patching vulnerabilities once they’ve gained access and installed a backdoor to a network in order to evade detection.

There is evidence that some of the groups are coordinating their attacks, the security firm said.

“Attackers [are] triggering exploitation from different source systems from the ones used to perform subsequent manual logins were detected, indicating the possibility of coordinated groups and/or actors leveraging wide-spread attack infrastructure,” the report notes.

“While this behaviour is common when analysing operating system and network-based attacks, this data provides evidence that the same approach is also used when targeting mission-critical applications, as these actors use TOR nodes and distributed VPS infrastructures to launch the attacks and escalate privileges.”

The key takeaway for CIOs, CISOs and other security professionals is to ensure all the latest SAP patches are installed and to monitor for any malicious activity that may already be inside company networks.

“Despite patches being available for months and even years, attackers are still finding and exploiting unpatched SAP systems,” said Scott Caveza, research engineering manager at cybersecurity firm Tenable.

“This serves as a reminder to administrators of sensitive data and applications that applying patches, mitigations, or workarounds are paramount to thwarting malicious actors looking to exploit well known vulnerabilities.”