Urges infosec teams to rapidly patch SAP applications

SAP is warning CISOs that threat actors are hunting for unpublished versions of the company's enterprise resource and supply chain management platform.

In a Threat Intelligence report released on Tuesday, SAP and Onapis, a partner selling security solutions for SAP and other platforms, said that patches addressing exploitation have been available in some cases for years. [*registration required]

The report indicated that unfortunately, both SAP and Onapis inspect multiple organizations that still have not implemented proper mitigation, allowing unsecured SAP systems to operate and in many cases attackers via the Internet Appear to "Companies that have not prioritized rapid mitigation for these known risks should consider compromising their systems and taking immediate and appropriate action."

The report describes how security teams can assess if an application is at risk and to take immediate action to protect the enterprise.

The report also includes these findings:

Opspice researchers found evidence of more than 300 automated exploits, including seven SAP-specific attack vectors and more than 100 hands-on-keyboard sessions of a wide range of threat actors.

Significant SAP vulnerabilities are being weaponized less than 72 hours after the patch release. New insecure SAP applications provisioned in the cloud (IaaS) environment are being discovered and compromised in less than three hours.

Exploitation can lead to full control over unsafe SAP applications, bypassing common security and compliance controls, stealing sensitive information to attackers, committing financial fraud or disrupting mission-critical business processes or deploying ransomware or stopping operations Can be enabled for. Threats may have significant regulatory compliance implications, including SOX, GDPR, CCPA and others.

Six of the spotted issues are listed in the CVE Common Vulnerability Database. The seventh is a ruthless attempt at using a unique, insecure high-privilege SAP user account

Adjustment.

"These unsafe configuration settings that were used to try to enter business applications were those user accounts that are traditionally installed on the SAP environment during deployment and configuration," according to the report. “Despite organizations having developed and released extensive documentation (administration: user management and security) about this matter years ago, how to change their permissions and default passwords, Onapsis has been running many organizations running SAP applications configured with high privileges. Continues to inspect. Users with default and / or weak passwords. "

The report urges infosec teams to ensure that the latest patches are installed on all SAP applications. A compromise assessment should be done immediately on applications that have not been patched. Priority should be given to SAP applications facing the Internet.

Also the existence of misidentified and / or unauthorized high privilege users should promptly evaluate SAP applications and perform compromised evaluation on at-risk applications.

If an evaluated SAP application is exposed and mitigation cannot be implemented immediately, compensatory controls should be deployed and actively monitored to detect any potential threat activity until such mitigation is implemented. Should be done.

The report states that 92 percent of Fortune 2000 companies use SAP products, including 18 of the world's 20 major vaccine producers. Twenty-four percent of SAP's large enterprise sector customers are considered part of critical infrastructure, as in the U.S. As defined by the Department of Homeland Security.