SAP users are at high risk as hackers exploit application vulnerabilities

Targeting SAP vulnerabilities by threat actors is currently at its peak as systems compromised by ransomware incidents have grown fivefold since 2021, according to joint research by Flashpoint and Onapsis.

Based on SAP threat intelligence from Onapsis Research Labs and Flashpoint Threat Intelligence Platform, the research found that multiple, unpatched application-level SAP vulnerabilities are being exploited and used in ransomware campaigns.

“This research leverages the combined experience of Onapsis Research Labs on SAP Threats, Vulnerabilities, and Threat Intelligence, with the Flashpoint Threat Intelligence platform, intelligence, and vulnerability data,” said Juan Perez-Etchegoyen, CTO at Onapsis. “We kicked off this research end of last year because we were seeing indications of an increase in the Threat Activity in certain areas, targeting SAP Applications, specifically during 2023.”

The research highlights that all the vulnerabilities found exploited within the research have already been patched by their respective vendors, indicating threat actors’ continued targeting of organizations with weak cybersecurity governance for SAP applications.

Exploits were financially motivated

Among the many attack types exploiting the SAP vulnerabilities, ransomware emerged as the most preferred indicating strong motivation for paydays.

“Threat actors have different motivations but most of them are looking to profit out of their compromises,” said Paul Laudanski, director of security research at Onapsis. “They do that by exfiltrating sensitive data such as financial statements or performing financial fraud. Additionally, the ones involved in ransomware also profit out of asking for the ransom or even auctioning the exfiltrated data to the highest bidder, advertising it to competitors for example.”

They are successful in doing this because the data these organizations exfiltrate are business sensitive to their business owners, and in some instances, impact the operations of those businesses that encourage ransom payment, according to Laudanski.

In an analysis of ransomware data over the last three years and isolating incidents that directly involved compromise of SAP-based data, the researchers were able to conclude that, since 2021, there has been a 400% growth in the number of attacks.

The leading ransomware groups involved in such attacks included Conti, Quantum, LockBit, Blackcat, HIVE, REvil, and Netwalker.

Additionally, a few of the attacks targeting SAP systems data were also found to have been a part of a state-sponsored campaign. “One of the examples of Threat Actors known to target SAP Applications is APT10, known to be associated with Chinese state backing,” Perez-Etchegoyen added.

Heightened dark web chatter

According to the research, conversations on SAP vulnerabilities and exploits have increased by 490% across the open, deep, and dark web from 2021 to 2023. The conversations primarily focused on how to exploit the vulnerabilities, guidance for the execution of exploitation for certain victims, and monetizing SAP compromises.

Additionally, the researchers found that the price for remote code execution (RCE) attacks for SAP applications increased by 400% from 2020 to 2023.

“We see the elevated interest on exploits to target SAP applications, as the site (exploit brokers) is offering a bounty of “up to $50,000” for a remote code execution (RCE) affecting SAP NetWeaver-based systems 12,” the researchers said in the report. “Similarly, and more recently, CrowdFence released its updated price list on April 8th, 2024, highlighting SAP RCE Exploits for up to $250,000.”

A few high-severity (>9/10 CVSS) vulnerabilities exploited to compromise SAP systems included CVE-2010-5326, CVE-2016-2386, CVE-2020-6207, CVE-2020-6287, CVE-2021-38163, CVE-2021-33690, CVE-2022-22536, CVE-2022-6287, and CVE-2022-6207.

To minimize associated risks, as pointed out in the research, organizations should identify and secure business-critical processes and data supported by SAP, mitigate all the vulnerabilities outlined in the list, ensure SOC visibility into SAP indicators of compromise (IoCs), and integrate SAP landscape into vulnerability management, security monitoring and threat detection, secure development lifecycle and threat intelligence.

“We believe this research confirms the need by Organizations to address cybersecurity around SAP Applications, given the nature of the focus that threat actors are placing in targeting SAP Applications through regular campaigns as well as in conjunction with Ransomware,” Perez-Etchegoyen added.