SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned. SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management.  

On April 6 2021, security researchers from Onapsis, in coordination with SAP, released an alert detailing observed threat actor activity and techniques that could lead to full control of unsecured SAP applications. According to CISA, impacted organizations could experience:

• theft of sensitive data, 
• financial fraud, 
• disruption of mission-critical business processes,
• ransomware, and
• halt of all operations. 

CISA recommends operators of SAP systems review the Onapsis Alert Active Cyberattacks on Mission-Critical SAP Application for more information and apply necessary updates and mitigations. SAP and Onapsis strongly advise organizations to take immediate action including swift application of the relevant SAP security patches and a thorough review of security configurations of their SAP landscapes, as well as performing a compromise assessment and forensic investigation of at-risk environments. 

Though SAP "promptly patched all of the critical vulnerabilities observed being exploited, and have made them available to customers for months, and years in some cases, "many organizations that have still not applied the relevant mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet," says the Onapsis alert.

According to Kevin Dunne, President at Pathlock, a Flemington, New Jersey-based provider of unified access orchestration, “SAP systems are a prominent attack vector for bad actors.  Most federal agencies are running on SAP, as it has become the industry standard for government entities.  However, these SAP implementations are often on-premise, and managed by the government entities themselves due to security concerns.  These systems then become increasingly vulnerable when updates and patches are not applied in a timely fashion, leaving them wide open for interested hackers. 

Dunne adds, "Applying security patches in a timely fashion is mission critical in closing major, known SAP vulnerabilities. However, as known vulnerabilities are constantly being discovered and exploited by bad actors, patching can only remedy issues that are in the rear view. For a comprehensive, forward looking approach to SAP security, organizations need to implement a comprehensive solution to monitor user activities within the system, including interactions with sensitive data. This way, even attackers that are able to breach SAP systems by known or unknown vulnerabilities can still be identified and their damage can be mitigated in real-time.”

Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, says, “Our reporting has found that ISVs and technology companies have and inordinately high window of exposure. We are seeing that ISVs and technology companies are lacking in their security rigor as they ultimately may pass on the security responsibilities to the companies that use the ISV to build products for their customers. In this case, SAP customers are accountable for securing their customers. Customers who implement SAP cannot completely depend on SAP to guarantee security nor can SAP provide assurance of a customer’s implementation. This is one of those blind spots that organizations who implement large packaged applications should be cautious of. Taking an inventory of packed applications, reviewing the implementation for security and working with your packaged application vendors to understand best security practices for implementation, is crucial.”

See CISA’s previous alerts on SAP:

• Alert AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java, published July 13, 2020
• Alert AA19-122A: New Exploits for Unsecure SAP Systems, published May 02, 2019
• CA: Malicious Cyber Activity Targeting ERP Applications, published July 25, 2018
• Alert TA16-132A: Exploitation of SAP Business Applications, published May 11, 2016