Share this article on:
Researchers at security firm Onapsis have observed cybercriminals exploiting multiple vulnerabilities in mission-critical SAP systems. Since mid-2020, there have been more than 300 observed attacks exploiting one or more of six unpatched vulnerabilities.
Vulnerabilities in SAP systems are highly sought after by cybercriminals due to the widespread use of SAP systems. SAP says 92% of the Forbes Global 2000 use SAP to power their operations, including the majority of pharmaceutical firms, critical infrastructure and utility companies, food distributors, defense contractors and others. Over 400,000 organizations use SAP globally and 77% of the world’s transactional revenue touches a SAP system.
Onapsis reports critical SAP vulnerabilities are typically weaponized within 72 hours of patches being released. Unprotected SAP applications in cloud environments are often discovered and compromised in less than 3 hours. Despite the high risk of exploitation, many organizations are slow to apply patches. One of the vulnerabilities currently being exploited is 11 years old, while the others were patched promptly by SAP and the patches have been available for months.
The severity of the flaws and the extent to which they are being targeted by multiple threat groups has prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert to all SAP users about the threat of attack, following the coordinated release of a report by Onapsis/SAP.
The six vulnerabilities are a mix of critical and medium-severity vulnerabilities that can be exploited on their own or chained together to access and exfiltrate sensitive information, conduct financial fraud, disrupt mission-critical systems, download malware and ransomware, and take full control of vulnerable SAP systems. Chaining the vulnerabilities could result in attackers gaining OS-level access, which could allow the expansion of the attack beyond vulnerable SAP systems. Onapsis researchers observed one attack where an attacker chained three of the vulnerabilities and within 90 minutes downloaded a credential store of logins for high-privileged accounts and the core database, resulting in a full system compromise.
The vulnerabilities are:
- CVE-2020-6287 – Authentication bypass issue in SAP NetWeaver Application Server Java – Allows full takeover of vulnerable SAP systems.
- CVE-2020-6207 – Authentication bypass issue in SAP Solution Manager – Allows full takeover of vulnerable SAP systems.
- CVE-2018-2380 – Insufficient validation of path information issue in SAP CRM – Allows database access and lateral network movement.
- CVE-2016-9563 – Flaw in SAP NetWeaver AS Java used for XML External Entity (XXE) – Allows DoS attacks and theft of sensitive information.
- CVE-2016-3976 – Directory traversal flaw in SAP NetWeaver AS Java – Allows reading of arbitrary files.
- CVE-2010-5326 – Vulnerability in the Invoker Servlet on SAP NetWeaver AS Java – Allows arbitrary code execution via HTTP/HTTPS requests.
The attacks are being conducted by multiple threat actors from a range of countries, including Hong Kong, India, Japan, Netherlands, Singapore, South Korea, Sweden, Taiwan, United States, Vietnam and Yemen. The attackers appear to have advanced domain knowledge of SAP systems, access to patches, and the ability to reconfigure systems. In some cases, the attackers have exploited the vulnerabilities, installed backdoors for persistence, and then patched the vulnerabilities themselves.
“SAP promptly patched all of the critical vulnerabilities observed being exploited,” Explained Onapsis in the alert. “Unfortunately, SAP and Onapsis continue to observe many organizations that have still not applied the relevant mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.”
Patches should be applied immediately to prevent exploitation of the flaws. Once updated to a secure SAP version, a compromise assessment should be performed to determine if systems have already been compromised. When future patches and software updates are released by SAP, they should be applied within 72 hours. If that is not possible, mitigations should be implemented to reduce the risk of exploitation. Further information is available in the Onapsis report.