Security News

Newly provisioned, unprotected SAP applications in cloud environments are getting discovered and compromised in mere hours, Onapsis researchers have found, and vulnerabilities affecting them are being weaponized in less than 72 hours after SAP releases security patches. SAP applications compromised via known vulnerabilities.

Cyber attackers are actively setting their sights on unsecured SAP applications in an attempt to steal information and sabotage critical processes, according to new research. "Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations," cybersecurity firm Onapsis and SAP said in a joint report published today.

SAP and security analysts Onapsis say cyber-criminals are pretty quick to analyze the enterprise software outfit's patches and develop exploits to get into vulnerable systems. In a joint report issued by the two organizations, Mariano Nunez, CEO of Onapsis, cited "Conclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications," and warned time was of the essence, reporting "SAP vulnerabilities being weaponized in less than 72 hours since the release of patches."

Threat actors are constantly targeting new vulnerabilities in SAP applications within days after the availability of security patches, according to a joint report issued by SAP and Onapsis. Used within more than 400,000 organizations for resource planning, management of product lifecycle, human capital, and supply chain, and for various other purposes, SAP's applications represent an attractive target for adversaries.

Active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications, researchers are warning. "With more than 400,000 organizations using SAP, 77 percent of the world's transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more."

In a press conference detailing the report, Onapsis CEO Mariano Nunez said that the company confirmed over 300 exploitations, more than 107 hands-on attacks and seven tracked threat vectors in 18 countries, based on "Direct observation of threat activity." The data is not based on the exploitation of SAP customers' environments, Nunez added. SAP and Onapsis stressed that they are not aware of known customer breaches related to this research.

Threat actors are targeting mission-critical SAP applications unsecured against already patched vulnerabilities, exposing the networks of commercial and government organizations to attacks. SAP and cloud security firm Onapsis warned of these ongoing attacks today, and have worked in partnership with the Cybersecurity and Infrastructure Security Agency and Germany's cybersecurity agency BSI to warn SAP customers to deploy patches and survey their environments for unsecured apps.

Enterprise software giant SAP pushed out fixes for a critical-severity vulnerability in its real-time data monitoring software for manufacturing operations. If exploited, the flaw could allow an attacker to access SAP databases, infect end users with malware and modify network configurations.

SAP's March 2021 Security Patch Day updates include 9 new security notes, including two for critical vulnerabilities affecting the company's NetWeaver Application Server and Manufacturing Integration and Intelligence products. This month's set of patches also includes 4 updates to previously released Patch Day security notes, including updates for two notes rated Hot News, which address a missing authorization check in Solution Manager and deliver the latest patches for the Chromium browser in Business Client.

Onapsis announced the general availability of support for SAP SuccessFactors in The Onapsis Platform. "SaaS applications such as SuccessFactors can introduce new risk into the business-critical application environment if security parameters are not continuously assessed to maintain a strong security posture," said Marty Ray, Chief Information Security Officer at Fossil Group.