Hackers are targeting unpatched vulnerabilities in SAP applications, according to a report issued by SAP and cyber threat research company Onapsis.
The report detailed more than 300 successful exploitations of critical vulnerabilities previously patched by SAP through 1,500 attack attempts between June 2020 and March 2021.
It also highlighted that the time window for defenders to act was significantly smaller than previously thought, “with examples of SAP vulnerabilities being weaponised in less than 72 hours” after the release of patches and “new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours”.
The report noted that 18 of the world’s 20 major vaccine producers run their production on SAP, 19 of 28 Nato countries run SAP, and 77% of the world’s transaction revenue touches an SAP system.
The release said both companies had “worked in close partnership with the US Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA) and Germany’s Federal Cybersecurity Authority (BSI), advising organisations to take immediate action to apply long-available SAP patches and secure configurations, and perform compromise assessments on critical environments”.
The two declared themselves “unaware of known customer breaches directly related to this research”. The report also did not describe any new vulnerabilities in SAP cloud software as a service or SAP’s own corporate IT infrastructure. Both companies, however, noted that many organisations still had not applied relevant mitigations that have long been provided by SAP.
“We’re releasing the research Onapsis has shared with SAP as part of our commitment to helping our customers ensure their mission-critical applications are protected” Tim McKnight, SAP
“We’re releasing the research Onapsis has shared with SAP as part of our commitment to helping our customers ensure their mission-critical applications are protected,” said Tim McKnight, chief security officer at SAP. “This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments and proactively assessing them for signs of compromise.”
Onapsis CEO and co-founder Mariano Nunez said the critical findings noted in its report described attacks on vulnerabilities for which patches and secure configuration guidelines had been available for months or even years.
“Unfortunately, too many organisations still operate with a major governance gap in terms of the cyber security and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes,” he said. “Companies that have not prioritised rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action.”
In the report’s foreword, Nunez said: “The evidence captured in this report clearly shows that threat actors have the motivation, means and expertise to identify and exploit unprotected mission-critical SAP applications, and are actively doing so. They are directly targeting these applications, including, but not limited to, enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM) and others.”
Business applications have been known for some time to be the soft underbelly of many corporate organisations, beyond perimeter security. Nunez, in the foreword, also said: “Cloud and internet-exposed mission-critical applications that help foster new processes and business opportunities also increase the attack surface that cyber actors are now targeting.”
The release stated that none of the vulnerabilities were present in cloud solutions maintained by SAP.
The DHS CISA has also issued an alert about the potential targeting of critical SAP applications.
Source is ComputerWeekly.com
The European colocation market is plugging the demand gaps for datacentre capacity caused by the waning appetites of hyperscale cloud firms...
Source is ComputerWeekly.com
Enthusiasm for corporate sustainability appears to be waning, with major firms seemingly quietly abandoning environmental goals, but David Picton remains optimistic....
Source is ComputerWeekly.com
The UK government has confirmed North Wales as the location of its latest AI growth zone (AIGZ), while also revealing that...
Source is ComputerWeekly.com
The National Grid is continuing its efforts to beef up the UK’s electricity infrastructure to support the growth of the nation’s...
Source is ComputerWeekly.com
When VMware NSX first entered the mainstream of datacentre networking, it quickly earned a reputation for being dauntingly complex. Many organisations,...
