SAP systems increasingly targeted by cyber attackers – Source: www.csoonline.com

A review of four years of threat intelligence data, presented Friday at Black Hat by Yvan Genuer, a senior security researcher at Onapsis, reports a spike in hacker interest in breaking into enterprise resource planning (ERP) systems from SAP in 2020 that was sustained until the end of 2023.

The vast majority (87%) of the Forbes Global 2000 list of the world’s biggest companies use SAP, according to the enterprise software firm, with the technology handling 77% of the world’s transaction revenue.

ERP-focused cybersecurity firm Onapsis and threat intel research partner Flashpoint analyzed activities on criminal forums, ransomware incidents, chat sites, and ransomware group sites.

Diverse groups including cybercrime groups (FIN13 “Elephant Beetle”, Russian cybercrime group FIN7, and Cobalt Spider), cyber espionage crews (China’s APT10) and script kiddies are all actively targeting SAP-related vulnerabilities.

The vast troves of data held by SAP-based systems make them a target for cyberespionage groups while the huge volume of transactions attracts interest from profit-motivated cybercriminals.

SAP exploits are being sold by criminal groups

The CVE-2020-6287 (RECON) and CVE-2020-6207 (SAP Solution Manager missing authentication) vulnerabilities lit the touch paper on discussions about how best to exploit SAP systems.

Onapsis cited an example where a purported exploit on SAP Secure Storage was offered for sale at $25,000 in August 2020. Buyers offered to pay $50,000 for SAP NetWeaver pre-authentication remote code execution or authentication bypass exploits in September 2020. Later posts offered up to $250,000 for working exploits against SAP systems.

Active discussions in cybercriminal forums about SAP-specific Cloud and Web services have increased 220% from 2021 to 2023, according to Onapsis.

Cybercriminals frequent these forums to discuss details on how to exploit SAP vulnerabilities as well as exchange tips and tricks on monetizing SAP compromises and how to execute attacks against potential victims.

The demand for SAP zero-days (unpatched vulnerabilities) from diverse groups is only growing because they represent a potentially huge return on investment, according to Onapsis. “SAP in no longer a black box — consider SAP applications as targeted,” Onapsis’ Genuer warned, adding that not only internet-exposed systems were being hacked.

Onapsis concluded that the complexity of SAP systems and their integration into broader business processes create unique security challenges. Enterprises need to prioritize regular patch management, vulnerability assessments, and the adoption of advanced threat intelligence practices to stay ahead of potential threats, it advised.

Independent third-party experts agreed with Oanapis’s conclusions that SAP-based systems have become an increased focus of interest to attackers.

“SAP systems are prime targets for attackers due to their critical role in managing core operations for large enterprises, storing sensitive data such as financial transactions, intellectual property, and personal information,” according to Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest. “Developing an exploit that can decrypt secure storage and facilitate lateral movement within SAP systems indicates a high level of technical expertise and effort, thus justifying a high price.”

For example, ReliaQuest discovered an exploit targeting SAP systems that was being advertised on a prominent cybercriminal forum for nearly $25,000 (payable in Bitcoin) and initially listed in August 2020.

The exploit purportedly facilitates lateral movement within targeted systems. “The post claims the exploit can use SAP Secure Storage to uncover credentials, elevate privileges, and eventually compromise additional SAP systems beyond the initial target,” according to ReliaQuest.

SAP Secure Storage is essential for managing sensitive data and credentials within an SAP environment, making any exploit for SAP systems highly valuable for anyone seeking unauthorized access or elevated privileges.