SAP and cloud security firm Onapsis warned of ongoing attacks against mission-critical cloud applications that haven’t been updated with patches that fixed known vulnerabilities. Networks of a big number of commercial and government organizations are still exposed to these attacks.
Over 400,000 organizations worldwide, plus 92% of the Forbes Global 2000 list, use SAP’s apps for various tasks, such as enterprise resource planning, supply chain management, customer relationship management, and product lifecycle management.
Today, SAP and Onapsis issued an advisory warning about the ongoing attacks. The two companies in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and German cybersecurity agency BSI conducted a survey among their customers about the usage of unsecured apps.
“We’re releasing the research Onapsis has shared with SAP as part of our commitment to help our customers ensure their mission-critical applications are protected,” Tim McKnight, SAP Chief Security Officer, said.
SAP reminded that to stay protected organizations need to apply available patches, thoroughly review the security configurations in their SAP environments, and proactively check them for any IOCs.
The survey showed that many organizations “are not aware of known customer breaches” resulting from exploits of the known flaws and insecure configurations in unpatched SAP apps. These apps expose organizations to infiltration via attack vectors that have been patched by SAP long time ago.
Since they started monitoring these campaigns, Onapsis detected “300 successful exploitations through 1,500 attack attempts from nearly 20 countries between June 2020 and March 2021.”
The research showed that threat actors often chain several vulnerabilities in their attacks in order to “maximize impact and potential damage.”
Exploitation would let attackers take full control over the unsecured SAP applications bypassing common security and compliance controls. Attackers would then perform financial fraud, steal sensitive data, or disrupt mission-critical operations by deploying ransomware in the org’s networks, Onapsis explained.
CISA, too, issued an alert today warning that organizations who don’t take measures could experience theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware, and standstill.
Patching vulnerable SAP systems should be a priority for all defenders since Onapsis also found that attackers start targeting critical SAP vulnerabilities within less than 72 hours, with exposed and unpatched SAP apps getting compromised in less than three hours.
“Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action,” Onapsis CEO Mariano Nunez concluded in the advisory.
