SAP has issued an urgent security report after an increase in attacks against unpatched SAP systems using a variety of attack vectors.

A new report from SAP and security firm Onapsis details how criminals are targeting mission critical SAP systems which are vulnerable due to security patches not being applied in a timely manner.  The CISA and German Federal Office for Information Security have also issued alerts to draw attention to the elevated risks faced by SAP users.

SAP systems are used by many of the world’s largest organisations including 92% of the Forbes Global 2000, 5 Nato agencies and 44 of the world’s military forces.  SAP claim 77% of the world’s transaction revenue touches an SAP system.

The report’s key findings demonstrate the risks to SAP installations including:

• Threat actors clearly demonstrating expert systems knowledge of SAP environments and targeting relevant modules to exfiltrate data or conduct fraudulent transactions.
• Exploits being attempted in as little as 72 hours after patches are published, highlighting the need for prompt review and scheduling of patches by SAP administrators.
• New SAP environments being identified and attacked online within 3 hours of provisioning in cloud environments – highlighting the needs to ensure the environment is securely configured and hardened from the outset.
• Threat actors have been observed scanning for specific vulnerabilities in SAP systems up to three months before the patches are published, indicating detailed knowledge of vulnerabilities before their publication.

The top 3 specific vulnerabilities most targeted on SAP systems according to the report are:

• Brute forcing attempts against well-known administrator and high-privilege SAP user accounts – including default passwords left unchanged from installation.
• CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server – this CVSS 10 rated vulnerability allows an attacker to access the highly privileged SAP adm account which gives control over the whole system.
• CVE-2020-6207: Missing Authentication Vulnerability in SAP Solution Manager – another CVSS 10 rated vulnerability could allow an attacker to issue operating system commands on the target and linked satellite systems

Security Managers can defend against these vulnerabilities by ensuring SAP systems are patched promptly, security hardened by following SAPs security recommendations and limiting the publication of SAP systems onto the public internet – ideally only allowing them to be accessed over secure VPN connections.