Image: istock/structuresxx

Eighteen of the world’s 20 major vaccine producers run their production on SAP systems–from manufacturing to controlled distribution to administration and post-vaccine monitoring. Seventy-seven percent of the world’s transaction revenue touches an SAP system. More than 1,000 government and government-owned organizations around the world use SAP software.

They are among SAP’s more than 400,000 customers globally. Many don’t apply security patches.

The company, in partnership with security firm Onapsis, on Tuesday released a cyber threat intelligence report on how malicious threat actors are targeting and potentially exploiting unprotected, mission-critical SAP applications.

SEE: 10 tips to protect your organization and remote endpoints against cyberthreats (TechRepublic)

In a press conference detailing the report, Onapsis CEO Mariano Nunez said that the company confirmed over 300 exploitations, more than 107 hands-on attacks and seven tracked threat vectors in 18 countries, based on “direct observation of threat activity.” The data is not based on the exploitation of SAP customers’ environments, Nunez added.

He also noted that within 72 hours of SAP making a patch available, there is an exploit. When the company provisions a new SAP app online, in less than three hours, those new systems are being exploited, Nunez said.

“The critical findings noted in our report describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years,” Nunez said. “Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes.”

The scope of impact from these specific vulnerabilities is localized to customer deployments of SAP products within their own data centers, managed colocation environments or customer-maintained cloud infrastructures. None of the vulnerabilities are present in cloud solutions maintained by SAP, the two companies said.

SAP and Onapsis stressed that they are not aware of known customer breaches related to this research. Both companies, however, noted that many organizations still have not applied relevant mitigations that have long been provided by SAP.

The intelligence captured by Onapsis and SAP highlights active threat activity that seeks to target and compromise organizations running unprotected SAP applications, through a variety of cyberattack vectors.

Nunez said Onapsis has observed exploitation techniques that could potentially lead to full control of the unsecured SAP applications, bypassing common security and compliance controls, and enabling attackers to steal sensitive data, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations.

“We’re releasing this alert because it’s very, very likely real customer systems are seeing this activity and need to be properly secured,” said SAP CISO Richard Puckett.

Implications of successful threats

Successful exploitation could result in an attacker(s) stealing PII from employees, customers and suppliers; changing banking details, administering purchase processes and disrupting critical business operations, among other issues, Nunez said.

An organization’s data, such as financial and HR information, “are the crown jewels of an organization” and a breach could cause compliance deficiencies, Puckett said.

“This proactive research effort is the latest example of our commitment to ensure our global customers remain protected,” said Tim McKnight, chief security officer of SAP. The research Onapsis has shared with SAP is aimed at helping customers ensure their mission-critical applications are protected, he said.

What to do

SAP and Onapsis are recommending that companies immediately apply relevant SAP security patches. “This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments and proactively assessing them for signs of compromise,” McKnight said.

Further, companies should perform a compromise assessment and forensic investigation of at-risk environments, and a thorough review of the security configuration of their SAP landscapes, the two companies advised.

Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action, he stressed.