SAP Application Vulnerabilities Targeted by Hackers
SAP and Onapsis Strongly Advise Organizations to Take Immediate Action.
On April 6th, the Cybersecurity & Infrastructure Security Agency (CISA) and SAP released an alert warning that SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.
Threat actors are carrying out a series of attacks, including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and malware.
According to Onapsis’ threat report, SAP applications are widely deployed and used for mission-critical operations worldwide by organizations in essential industries such as food distribution, medical device manufacturing, pharmaceuticals, critical infrastructure, government and defense, and more.
SAP software is used at more than 400,000 organizations globally, helping with critical business processes management, including enterprise resource planning (ERP), product lifecycle management, customer relationship management (CRM), and supply-chain management.
From mid-2020 until publication of this report, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances. This significant exploit activity was related to multiple vulnerabilities (CVEs) and insecure configurations.
According to the warning, the attacks are brute-forcing high-privilege SAP user accounts, as well as exploiting a raft of known bugs:
- CVE-2020-6287 – a critical authentication bypass issue in SAP NetWeaver Application Server Java allowing full account takeover;
- CVE-2020-6207 – another critical authentication bypass bug, in SAP Solution Manager;
- CVE-2018-2380 – a medium-severity flaw in SAP CRM, which allows an attacker to exploit insufficient validation of path information provided by users;
- CVE-2016-9563 – a medium-severity bug, this time in SAP NetWeaver AS Java. Remote authenticated users can exploit it to conduct XML External Entity (XXE) attacks, which allow them to interfere with XML processing;
- CVE-2016-3976 – a high-severity directory traversal vulnerability in SAP NetWeaver AS Java that allows remote attackers to read arbitrary files;
- CVE-2010-5326 – an 11-year-old critical issue in the Invoker Servlet on SAP NetWeaver AS Java. It doesn’t require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request.
Curiously, in some cases cyber attackers are patching the exploited vulnerabilities after they’ve gained access to a victim’s system, Onapsis said.
According to the alert, the campaign is built up by several groups, who appear to be engaged in coordinated activity across vast stacks of infrastructure.
Attackers [are] triggering exploitation from different source systems from the ones used to perform subsequent manual logins were detected, indicating the possibility of coordinated groups and/or actors leveraging wide-spread attack infrastructure. While this behavior is common when analyzing operating system and network-based attacks, this data provides evidence that the same approach is also used when targeting mission-critical applications, as these actors use TOR nodes and distributed VPS infrastructures to launch the attacks and escalate privileges.
The activity is originating from all over the world, including Hong Kong, India, Japan, the Netherlands, Singapore, South Korea, Sweden, Taiwan, United States, Vietnam, and Yemen.
Exploit chaining. Source: Onapsis.
The best way to prevent these kinds of attacks is to patch the vulnerabilities. Additionally, all accounts should have strong, unique passwords to disallow automated brute-force attempts to break in; and any systems that don’t need to face the public web should be taken offline.
However, while applying security patches in due time is crucial to closing down the risk from major, known vulnerabilities, patching can only remedy issues that are in plain sight. Since cyber attackers are patching the flaws, experts believe there also needs to be a way to detect malicious activity.