Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:00 PM
Connect Directly

3 Ways Attackers Will Own Your SAP

SAP vulnerabilities that have been highlighted for years are now becoming attackers' favorite means of breaking into enterprises.

The SAP security specialists with Onapsis, today, reported that in a study of hundreds of SAP installations examined by their researchers, over 95 percent were exposed to vulnerabilities that could lead to the full compromise of an organization's business data and processes. Run by a quarter of a million customers worldwide, SAP products form the backbone of critical technology infrastructure of 87 percent of Global 2000 companies. And yet, SAP remains a cybersecurity backwater for most infosec programs.

"SAP systems are inherently complex by nature as they are the backbone of business systems and the processes that run the enterprise. It is difficult to find and remediate issues because today's security measures -- segregation of duties (SoD) and access controls -- do not protect organizations from cyber attacks," says Juan Pablo Perez-Etchegoyen, CTO and Head of Research for Onapsis. "In fact organizations don't even know they are being attacked in most cases. These security programs focus on the processes, people, and infrastructure and are not looking at SAP systems as part of this picture."

Since Onapsis broke into the scene at Black Hat in 2007 with one of its first eye-opening talks on SAP vulnerabilities, its research team has continued to put the microscope on these applications. This week it put together a comprehensive study of many of the findings over the past few years. Though the full report is only available to its customers, it did release some eye-opening facts gleaned from the study. For example, it found that the average patch window for SAP at companies is 18 months or longer. And yet SAP only continues to accelerate the pace of patches for these systems, with an average of 30 released per month, with nearly 50 percent ranked high-priority by SAP. Most startling, though, is the fact that Onapsis has finally gathered enough evidence in real-world situations to show that the bad guys really are using these vulnerabilities to get to the most sensitive information that enterprises own.

As Mariano Nunez, CEO and co-founder of Onapsis, explained, one of the first questions he was asked by people at that first Black Hat was, 'Yes, but are these vulnerabilities really being exploited?'

"At that point we didn't have enough data to answer them, but over the last couple of years we've been part of SAP incident response projects and we see more and more people using SAP-specific exploits to break into business-critical data and disrupt business critical processes," he says.

As his team started analyzing attacks, they began to put together a picture of the criminal's attack patterns. According to Onapsis, there are three most common ways SAP vulnerabilities are being exploited. The first is using pivoting between SAP systems to steal customer information, including credit card information. The second is customer and supplier portal attacks, where the attackers create backdoor users in the SAP J2EE User Management engine. And the third is direct attacks through SAP proprietary protocols.

In order to combat these attacks, enterprises must be able to bridge the gap between security teams and SAP operations teams to start improving patch cycles and SAP security strategy.

"In order to bridge the gap between CISO’s and CIO’s, it is important to have an agreement that security and IT share the same goals of availability and that the information security program will not be at the expense of operations and uptime," says Renee Guttmann, vice president for the Office of the CISO at Accuvant and a member of the Onapsis board of advisors. "Once the CISO and CIO agree, they must collaborate to develop the SAP security plan to which the business owners must also agree as they are the ultimate stakeholders. This can be a win/win/win for everyone as long as there are common goals and transparency."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/12/2015 | 3:46:37 PM
Re: Packet Storm Reports
Hi Christian,

Thanks for your insight! It's nice to see that this issue is becoming recognized in the industry. We have been working on many high-profile SAP Incident Response projects and we are seeing more public breaches surfacing. The threat is real and we are working to educate our customers and the market of the best way to respond.



Mariano Nunez

CEO | Onapsis Inc.

User Rank: Ninja
5/8/2015 | 10:58:24 PM
Packet Storm Reports
I first noticed Onapsis reports piling up on Packet Storm. I don't get to Black Hat and SAP has never been part of my work environment. However, I know lots of folks surrounded by SAP and I'm curious to hear feedback from them.  Some of these reports are rather concerning and SAP is ubiquitous in government and other public organizations.

I think this is a good example of how solid vulnerability research and documentation/publication can lend to application improvement. It's not overwhelming, but I am seeing SAP techs starting to address reports and what is being done to respond to them. Teams like Onapsis are important to the long-term health of InfoSec being seen as a needed discipline.  I hope we see more security teams contributing ti InfoSec in this way and really making a difference. 
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-18
In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in the ipsec packet processor allows reinjection of an old packet to be accepted by the ipsec endpoint. Depending on the higher-level protocol in use over ipsec, this could allow an action to be repeated.
PUBLISHED: 2020-02-18
In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r357214, and 11.3-RELEASE before 11.3-RELEASE-p6, URL handling in libfetch with URLs containing username and/or password components is vulnerable to a heap buffer over...
PUBLISHED: 2020-02-18
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
PUBLISHED: 2020-02-18
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
PUBLISHED: 2020-02-18
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.