On April 6th, 2021, SAP and Onapsis released a joint cyber threat intelligence report highlighting active and ongoing cyberattacks targeting mission-critical SAP applications. The report underscores the severity of these attacks, revealing that both state and non-state actors have been exploiting vulnerabilities in SAP systems within hours of patches being released. These attacks expose organizations to data breaches, operational disruptions, and compliance violations.
Key Findings from the Report
The report, titled Active Cyberattacks on Mission-Critical SAP Applications, details over 300 automated exploitations targeting seven specific SAP vulnerabilities. Attackers showed sophisticated domain knowledge and even applied patches themselves after compromising services—an indicator of how advanced these exploiters are.
Here are some of the key vulnerabilities identified in the report:
- CVE-2020-6287: A critical authentication bypass in SAP NetWeaver Application Server Java, allowing for full account takeovers.
- CVE-2020-6207: Another critical bypass in SAP Solution Manager.
- CVE-2010-5326: An 11-year-old critical issue in SAP NetWeaver, which allows attackers to execute arbitrary code via HTTP or HTTPS requests.
Why This Matters for Organizations Using SAP Solutions
SAP is the backbone of mission-critical processes for businesses across the globe, including 92% of the Forbes Global 2000 companies. SAP is also integral to many public sector organizations, military, and defense institutions. With SAP facilitating 77% of global financial transactions, these cyberattacks threaten not only company operations but the global economy and sensitive data.
The attacks have already affected ERP systems, supply chain management, and customer relationship management, exposing organizations to data breaches, financial fraud, and compliance violations related to regulations like SOX, GDPR, and CCPA. Worse, unprotected SAP applications deployed in cloud environments (IaaS) were compromised within just three hours of being identified.
Steps for Mitigation
Organizations using SAP applications are urged to act swiftly:
- Apply All Relevant Patches: Vulnerabilities need to be patched immediately, and organizations must monitor systems for any suspicious activity.
- Strengthen System Configurations: Regular security reviews should be carried out to ensure all configurations are optimized to protect against exploitation.
- Develop a Proactive Defense Posture: Implementing advanced detection tools like Managed Extended Detection and Response (MXDR) solutions can help identify vulnerabilities, monitor attack surfaces, and automate responses to attacks.
By using MXDR solutions, organizations can gain real-time visibility into their networks and applications, significantly reducing the window of opportunity for threat actors. MXDR solutions integrate various threat detection capabilities, providing continuous monitoring and fast response to mitigate potential damage from such vulnerabilities.
Conclusion
The threats facing SAP systems are real and immediate. With malicious actors acting quickly and decisively to exploit vulnerabilities, organizations must stay proactive, applying patches as soon as they are released and employing advanced cybersecurity measures such as MXDR to ensure they are fully protected.
For more details, you can review the Onapsis Active Cyberattacks on Mission-Critical SAP Applications report and implement the necessary updates to safeguard your operations.
