On April 6, a threat intelligence report from Onapsis security researchers in coordination with SAP revealed that SAP systems running on misconfigured or outdated software are exposed to increased risk of malicious cyberattacks. The Cybersecurity and Infrastructure Security Agency of US and Germany’s Federal Office for Information security have also issued warning. It is advised to take prompt action on relevant SAP security patches.
Below are some of the comments from industry leaders:
Morey Haber, CTO and CISO at BeyondTrust
2021 is becoming the year where threat actors are targeting third party enterprise applications and vendor supply chains. We have seen a myriad of successful attacks that have crippled businesses and government agencies alike. Now CISA is warning of yet another application that could be at risk.
On April 6, CISA warned of malicious cyber activity targeting critical SAP applications. What is interesting about this alert is the attack vector. It is actually not one attack vector but rather multiple flaws being exploited, as single points of compromise or in tandem, that is leading to the compromise of SAP applications. In addition, the vulnerabilities range from missing security patches to poor configuration hygiene. Furthermore, these are not new flaws; they just have never been remediated in a client environment. The oldest is from 2016 and the newest from 2020, for a grand total of four.
Considering the age of the vulnerabilities and their associated alerts, this serves as a reminder that even the most critical applications with potential complex deployments must have vulnerability and risk assessments conducted on a regular basis. Then, an organisation must follow up on mitigation and remediation strategies to secure the application.
In other words, patch management is critical to ensure every application stays secure, configuration management is critical to ensure applications are hardened, and privileged access management is critical to ensure threat actors cannot steal the secrets and passwords that are required to install, operate, manage, and use an application.
Scott Caveza, Research Engineering Manager, Tenable
A recent advisory from CISA warns that unpatched or misconfigured SAP systems are actively being targeted by threat actors. SAP software is used by organisations to manage critical business functions and often used to store sensitive data. By leveraging known unpatched vulnerabilities, attackers can disrupt critical processes, steal financial or otherwise sensitive data, or deploy malicious code which can lead to a major impact on affected organisations.
Over the last year, we have continued to see reports from US Government agencies warning of the threat of unpatched software and known vulnerabilities being targeted by threat actors.
Despite patches being available for months and even years, attackers are still finding and exploiting unpatched SAP systems. This serves as a reminder to administrators of sensitive data and applications that applying patches, mitigations, or workarounds are paramount to thwarting malicious actors looking to exploit well known vulnerabilities.