The US government is urging SAP owners to urgently patch and fix their application environments after a new report warned of mass exploitation.
The Cybersecurity and Infrastructure Security Agency (CISA) urged SAP businesses to prioritize reviewing the Onapsis report. It said affected customers could be exposed to data theft, financial fraud, ransomware and disruption of mission critical operations and processes.
Onapsis claimed to have discovered over 300 successful exploitation attempts in the course of its research alone, related to six known vulnerabilities and one critical configuration issue.
Although two of these bugs were from last year, one dated back to 2018, two were patched in 2016 and one was fixed all the way back in 2010.
The report also warned that attackers are quick to jump on newly discovered vulnerabilities, weaponizing exploits in less than 72 hours from the time patches are released and compromising new SAP apps in IaaS environments in under three hours.
“The evidence clearly shows that cyber criminals are actively targeting and exploiting unprotected SAP applications with automated and sophisticated attacks. This research also validates that the threat actors have both the means and expertise to identify and exploit unprotected SAP systems and are highly motivated to do so,” the report noted.
“Onapsis researchers found reconnaissance, initial access, persistence, privilege escalation, evasion and command and control of SAP systems, including financial, human capital management and supply chain applications.”
Beyond vulnerability exploits, the researchers also discovered brute-forcing of high-privilege SAP user accounts, and attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access, which could grant attackers access to wider corporate systems.
SAP is used by over 400,000 organizations worldwide, including 92% of the Forbes Global 2000, 18 of the world’s top 20 vaccine-makers, and over 1000 government, NATO and military entities.
"Despite patches being available for months and even years, attackers are still finding and exploiting unpatched SAP systems,” said Tenable research engineering manager, Scott Caveza.
“This serves as a reminder to administrators of sensitive data and applications that applying patches, mitigations, or workarounds are paramount to thwarting malicious actors looking to exploit well known vulnerabilities."