{"id":1253,"date":"2024-12-13T17:38:08","date_gmt":"2024-12-13T17:38:08","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1253"},"modified":"2024-12-13T17:38:08","modified_gmt":"2024-12-13T17:38:08","slug":"sap-systems-increasingly-targeted-by-cyber-attackers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1253","title":{"rendered":"SAP systems increasingly targeted by cyber attackers"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A review of four years of threat intelligence data, presented Friday at Black Hat by Yvan Genuer<\/a>, a senior security researcher at Onapsis, reports a spike in hacker interest in breaking into enterprise resource planning (ERP) systems from SAP in 2020 that was sustained until the end of 2023.<\/p>\n

The vast majority (87%) of the Forbes Global 2000 list of the world\u2019s biggest companies use SAP, according to the enterprise software firm, with the technology handling 77% of the world\u2019s transaction revenue.<\/p>\n

ERP-focused cybersecurity firm Onapsis and threat intel research partner Flashpoint analyzed activities on criminal forums, ransomware incidents, chat sites, and ransomware group sites.<\/p>\n

Diverse groups including cybercrime groups (FIN13 \u201cElephant Beetle\u201d<\/a>, Russian cybercrime group FIN7, and Cobalt Spider), cyber espionage crews (China\u2019s APT10) and script kiddies are all actively targeting SAP-related vulnerabilities<\/a>.<\/p>\n

The vast troves of data held by SAP-based systems make them a target for cyberespionage groups while the huge volume of transactions attracts interest from profit-motivated cybercriminals.<\/p>\n

SAP exploits are being sold by criminal groups<\/h2>\n

The CVE-2020-6287<\/a> (RECON) and CVE-2020-6207<\/a> (SAP Solution Manager missing authentication) vulnerabilities lit the touch paper on discussions about how best to exploit SAP systems.<\/p>\n

Onapsis cited an example where a purported exploit on SAP Secure Storage was offered for sale at $25,000 in August 2020. Buyers offered to pay $50,000 for SAP NetWeaver pre-authentication remote code execution or authentication bypass exploits in September 2020. Later posts offered up to $250,000 for working exploits against SAP systems.<\/p>\n

Active discussions in cybercriminal forums about SAP-specific Cloud and Web services have increased 220% from 2021 to 2023, according to Onapsis.<\/p>\n

Cybercriminals frequent these forums to discuss details on how to exploit SAP vulnerabilities as well as exchange tips and tricks on monetizing SAP compromises and how to execute attacks against potential victims.<\/p>\n

In parallel, there has been a reported fivefold (400%) increase in ransomware incidents<\/a> involving SAP systems since 2021. Unpatched SAP vulnerabilities are also being exploited<\/a> and used in ransomware campaigns<\/a>.<\/p>\n

Public critical exploits are four years old, hence they are losing their effectiveness, so threat actors are keen to get their hands on \u201cfresh\u201d weapons, according to Onapsis. Publicly disclosed vulnerabilities in SAP applications such as CVE-2021-38163<\/a> and CVE-2022-22536<\/a>, among others are also being targeted.<\/p>\n

Hackers are feasting on resolved but unpatched vulnerabilities<\/h2>\n

Many attacks leverage known but unpatched vulnerabilities within SAP systems.<\/p>\n

The demand for SAP zero-days<\/a> (unpatched vulnerabilities) from diverse groups is only growing because they represent a potentially huge return on investment, according to Onapsis. \u201cSAP in no longer a black box \u2014 consider SAP applications as targeted,\u201d Onapsis\u2019 Genuer warned, adding that not only internet-exposed systems were being hacked.<\/p>\n

Onapsis concluded that the complexity of SAP systems and their integration into broader business processes create unique security challenges. Enterprises need to prioritize regular patch management, vulnerability assessments, and the adoption of advanced threat intelligence practices to stay ahead of potential threats, it advised.<\/p>\n

Independent third-party experts agreed with Oanapis\u2019s conclusions that SAP-based systems have become an increased focus of interest to attackers.<\/p>\n

\u201cSAP systems are prime targets for attackers due to their critical role in managing core operations for large enterprises, storing sensitive data such as financial transactions, intellectual property, and personal information,\u201d according to Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest. \u201cDeveloping an exploit that can decrypt secure storage and facilitate lateral movement within SAP systems indicates a high level of technical expertise and effort, thus justifying a high price.\u201d<\/p>\n

For example, ReliaQuest discovered an exploit targeting SAP systems that was being advertised on a prominent cybercriminal forum for nearly $25,000 (payable in Bitcoin) and initially listed in August 2020.<\/p>\n

The exploit purportedly facilitates lateral movement within targeted systems. \u201cThe post claims the exploit can use SAP Secure Storage to uncover credentials, elevate privileges, and eventually compromise additional SAP systems beyond the initial target,\u201d according to ReliaQuest.<\/p>\n

SAP Secure Storage is essential for managing sensitive data and credentials within an SAP environment, making any exploit for SAP systems highly valuable for anyone seeking unauthorized access or elevated privileges.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A review of four years of threat intelligence data, presented Friday at Black Hat by Yvan Genuer, a senior security researcher at Onapsis, reports a spike in hacker interest in breaking into enterprise resource planning (ERP) systems from SAP in 2020 that was sustained until the end of 2023. The vast majority (87%) of the […]<\/p>\n","protected":false},"author":0,"featured_media":1224,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1253","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1253"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1253"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1253\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1224"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}