The report detailed more than 300 successful exploitations of critical vulnerabilities previously patched by SAP through 1,500 attack attempts between June 2020 and March 2021.
It also highlighted that the time window for defenders to act was significantly smaller than previously thought, “with examples of SAP vulnerabilities being weaponised in less than 72 hours” after the release of patches and “new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours”.
The report noted that 18 of the world’s 20 major vaccine producers run their production on SAP, 19 of 28 Nato countries run SAP, and 77% of the world’s transaction revenue touches an SAP system.
A spokesperson for Onapsis said this was the first time SAP had issued an official press release about cyber threats affecting its customers. Onapsis is a security and compliance monitoring software company as well as a security research firm.
The release said both companies had “worked in close partnership with the US Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA) and Germany’s Federal Cybersecurity Authority (BSI), advising organisations to take immediate action to apply long-available SAP patches and secure configurations, and perform compromise assessments on critical environments”.
The two declared themselves “unaware of known customer breaches directly related to this research”. The report also did not describe any new vulnerabilities in SAP cloud software as a service or SAP’s own corporate IT infrastructure. Both companies, however, noted that many organisations still had not applied relevant mitigations that have long been provided by SAP.
Tim McKnight, SAP
“We’re releasing the research Onapsis has shared with SAP as part of our commitment to helping our customers ensure their mission-critical applications are protected,” said Tim McKnight, chief security officer at SAP. “This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments and proactively assessing them for signs of compromise.”
Onapsis CEO and co-founder Mariano Nunez said the critical findings noted in its report described attacks on vulnerabilities for which patches and secure configuration guidelines had been available for months or even years.
“Unfortunately, too many organisations still operate with a major governance gap in terms of the cyber security and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes,” he said. “Companies that have not prioritised rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action.”
In the report’s foreword, Nunez said: “The evidence captured in this report clearly shows that threat actors have the motivation, means and expertise to identify and exploit unprotected mission-critical SAP applications, and are actively doing so. They are directly targeting these applications, including, but not limited to, enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM) and others.”
Business applications have been known for some time to be the soft underbelly of many corporate organisations, beyond perimeter security. Nunez, in the foreword, also said: “Cloud and internet-exposed mission-critical applications that help foster new processes and business opportunities also increase the attack surface that cyber actors are now targeting.”
The release stated that none of the vulnerabilities were present in cloud solutions maintained by SAP.
The DHS CISA has also issued an alert about the potential targeting of critical SAP applications.