Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:00 PM
Connect Directly

3 Ways Attackers Will Own Your SAP

SAP vulnerabilities that have been highlighted for years are now becoming attackers' favorite means of breaking into enterprises.

The SAP security specialists with Onapsis, today, reported that in a study of hundreds of SAP installations examined by their researchers, over 95 percent were exposed to vulnerabilities that could lead to the full compromise of an organization's business data and processes. Run by a quarter of a million customers worldwide, SAP products form the backbone of critical technology infrastructure of 87 percent of Global 2000 companies. And yet, SAP remains a cybersecurity backwater for most infosec programs.

"SAP systems are inherently complex by nature as they are the backbone of business systems and the processes that run the enterprise. It is difficult to find and remediate issues because today's security measures -- segregation of duties (SoD) and access controls -- do not protect organizations from cyber attacks," says Juan Pablo Perez-Etchegoyen, CTO and Head of Research for Onapsis. "In fact organizations don't even know they are being attacked in most cases. These security programs focus on the processes, people, and infrastructure and are not looking at SAP systems as part of this picture."

Since Onapsis broke into the scene at Black Hat in 2007 with one of its first eye-opening talks on SAP vulnerabilities, its research team has continued to put the microscope on these applications. This week it put together a comprehensive study of many of the findings over the past few years. Though the full report is only available to its customers, it did release some eye-opening facts gleaned from the study. For example, it found that the average patch window for SAP at companies is 18 months or longer. And yet SAP only continues to accelerate the pace of patches for these systems, with an average of 30 released per month, with nearly 50 percent ranked high-priority by SAP. Most startling, though, is the fact that Onapsis has finally gathered enough evidence in real-world situations to show that the bad guys really are using these vulnerabilities to get to the most sensitive information that enterprises own.

As Mariano Nunez, CEO and co-founder of Onapsis, explained, one of the first questions he was asked by people at that first Black Hat was, 'Yes, but are these vulnerabilities really being exploited?'

"At that point we didn't have enough data to answer them, but over the last couple of years we've been part of SAP incident response projects and we see more and more people using SAP-specific exploits to break into business-critical data and disrupt business critical processes," he says.

As his team started analyzing attacks, they began to put together a picture of the criminal's attack patterns. According to Onapsis, there are three most common ways SAP vulnerabilities are being exploited. The first is using pivoting between SAP systems to steal customer information, including credit card information. The second is customer and supplier portal attacks, where the attackers create backdoor users in the SAP J2EE User Management engine. And the third is direct attacks through SAP proprietary protocols.

In order to combat these attacks, enterprises must be able to bridge the gap between security teams and SAP operations teams to start improving patch cycles and SAP security strategy.

"In order to bridge the gap between CISO’s and CIO’s, it is important to have an agreement that security and IT share the same goals of availability and that the information security program will not be at the expense of operations and uptime," says Renee Guttmann, vice president for the Office of the CISO at Accuvant and a member of the Onapsis board of advisors. "Once the CISO and CIO agree, they must collaborate to develop the SAP security plan to which the business owners must also agree as they are the ultimate stakeholders. This can be a win/win/win for everyone as long as there are common goals and transparency."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/12/2015 | 3:46:37 PM
Re: Packet Storm Reports
Hi Christian,

Thanks for your insight! It's nice to see that this issue is becoming recognized in the industry. We have been working on many high-profile SAP Incident Response projects and we are seeing more public breaches surfacing. The threat is real and we are working to educate our customers and the market of the best way to respond.



Mariano Nunez

CEO | Onapsis Inc.

User Rank: Ninja
5/8/2015 | 10:58:24 PM
Packet Storm Reports
I first noticed Onapsis reports piling up on Packet Storm. I don't get to Black Hat and SAP has never been part of my work environment. However, I know lots of folks surrounded by SAP and I'm curious to hear feedback from them.  Some of these reports are rather concerning and SAP is ubiquitous in government and other public organizations.

I think this is a good example of how solid vulnerability research and documentation/publication can lend to application improvement. It's not overwhelming, but I am seeing SAP techs starting to address reports and what is being done to respond to them. Teams like Onapsis are important to the long-term health of InfoSec being seen as a needed discipline.  I hope we see more security teams contributing ti InfoSec in this way and really making a difference. 
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-24
IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747.
PUBLISHED: 2021-02-24
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in...
PUBLISHED: 2021-02-24
BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior).