Researchers Find That SAP Admins Have Only 72 Hours to Secure Their Systems

  • Researchers collected observations from hundreds of exploit attempts against SAP and have alarming results to report.
  • Actors can develop fully-working exploits using published flaw details in as little as 72 hours.
  • SAP admins don’t have any margin to fool around, as their systems are considered top-value stuff for APTs.

The German software vendor SAP has worked together with infosec experts from Onapsis to figure out how SAP-specific attacks unfold, how long it takes actors to weaponize critical vulnerabilities published in security advisories, and what the entailed risks of being negligent are. Their findings are worrying enough to guarantee an alert by CISA (Cybersecurity & Infrastructure Security Agency), warning about the resulting risks of data exfiltration, financial fraud, disruption of mission-critical business processes, ransomware infections, and more.

According to the detailed Onapsis report, the most exploited vulnerabilities and misconfigurations in SAP products are the following:

  • Unsecured High-Privilege SAP User Accounts
  • CVE-2020-6287 (application-level access)
  • CVE-2020-6207 (cross-system compromise)
  • CVE-2018-2380 (privilege escalation from the application to the OS)
  • CVE-2016-9563 (privilege escalation from the application to the OS)
  • CVE-2016-3976 (application-level access), (cross-system compromise)
  • CVE-2010-5326 (direct OS-level access)
Source: Onapsis

By observing a large number (over 300) of automated exploitation leveraging the above, as well as over 100 manual sessions launched by a range of threat actors, Onapsis concludes that 72 hours would be the average time for the weaponization of published flaws. Thus, this is about time that admins patch their SAP solutions, as any minute after that has their systems popping up on malicious mass scanning results.

Source: Onapsis

Additionally, new unprotected SAP apps provision in cloud environments are being discovered and compromised in as little as three hours in the worst-case scenario. On average, scans will discover the systems in two days, and the exploitation will come in a week.

Considering that SAP software is used in over 400,000 organizations around the world and that 92% of them are in the Forbes Global 2000, these findings are both crucially important and at the same time somewhat expected. Targeting big military forces, defense and security organizations, pharma producers, global utility companies, and government agencies is something for top-level threat groups and APTs. These groups are skillful enough to develop exploits and weaponize published flaws quickly, and this is actually what they’re working on full-time.

To mitigate the associated risks, SAP and Onapsis recommend organizations to take the following actions:

  • Perform a compromise assessment on SAP applications that are still exposed to the vulnerabilities mentioned above.
  • Assess all SAP environment applications for risk and immediately apply the relevant SAP security patches and secure configurations.
  • Assess SAP applications for the existence of misconfigured and/or unauthorized high privilege users.
  • If applying patches or mitigations is impossible, resort to vigorous activity monitoring.



How to Watch Thursday Night Football Without Cable in 2021: Schedule, Time, TV Channel, Live Stream

The 2021 NFL season is kicking off, and the excitement is kicking in for American football fans all over the world. The...

HBO Leaves Prime Video as WarnerMedia Ends Deal With Amazon

Amazon and WarnerMedia end their collaboration that had HBO on Prime Video.Existing users will now have to use the HBO Max app...

How Phishing Actors Impersonated the U.S. Department of Transportation

A recent phishing campaign deployed some common but highly effective tricks to steal Microsoft account credentials.The actors impersonated the U.S. Department of...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari