COMMENTARY: By now, it’s clear that the business of the world gets conducted through mission-critical SAP applications, with SAP customers generating 84% of total global commerce. Of the 100 largest companies, 98 are SAP customers.
These companies and 400,000 additional ones depend upon SAP tools to perform enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM) and other important business functions. More than 75% of the world’s transactional revenues are linked to an SAP system. So any disruption impacting the applications could come at a large cost in terms of productivity, operations continuity, sales and customer trust/loyalty.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Unfortunately, the threat of such disruptions has emerged as very real: In research conducted with SAP, we discovered that cyber attackers are actively targeting, identifying, and compromising organizations running these applications.
Since mid-2020, we have found an estimated 300 successful exploit attempts on unprotected SAP instances leveraging seven SAP-specific attack vectors and more than 100 hands-on keyboard sessions, with common vulnerabilities and exposures (CVEs) and insecure configurations creating the issues.
The window for defenders to act has shrunk as well, with attackers weaponizing SAP vulnerabilities in less than 72 hours since the release of patches, according to our research. Attackers are also discovering and compromising new, unprotected SAP applications in the cloud in less than three hours.
Major cybercriminal organizations are increasingly focusing on SAP technology to exploit payment systems, exfiltrate financial information and perform fraud over lengthy stretches of time. A malware known as “infostealers” targets login credentials, financial data and personal information from SAP applications, and spread itself via phishing emails, malicious websites and infected software.
Given the ubiquitous presence of SAP applications in global commerce today, organizations need to understand that – even if they believe their systems are well-fortified behind layered defense controls – criminals are still finding ways to break in. To counter this, we recommend the following four-step plan to ensure greater visibility of the attack surface and the proactive protection of SAP-connected cyber assets and operations:
Identify the organization’s SAP environment, including applications, modules and components. This will increase awareness of the attack surface and threat landscape.
Understand which vulnerabilities are present, and which patching notes apply to the company’s environment. Then, prioritize responses to tackle the most potentially harmful weaknesses first, in the most effective way possible.
Recognize that attackers are increasingly targeting vulnerabilities impacting vendors which do not command the resources of, say, Microsoft, Apple, or Google. In many cases, these vendors could represent a blind spot for the organization. Therefore, it's imperative to review all vendor security policies and practices to verify that they are on par with the company's own standards.
Consider merging business-critical application defenses more cohesively into existing vulnerability management and detection and response security programs. The more silos the team can smash, the better the chances of thwarting a major threat.
SAP applications serve as the oxygen of modern organizations, allowing them to function and then thrive at the highest levels. Thus, security teams must protect these core, critical components of their operations. New threats are constantly emerging, and teams will need to act – and this starts with patching SAP early, often and quickly. By combining patching with other aspects of this four-step plan, teams can ensure that the business of today and tomorrow gets done efficiently, effectively, and securely.
Paul Laudanski, director of security research, Onapsis
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
