SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers

SAP and security analysts Onapsis say cyber-criminals are pretty quick to analyze the enterprise software outfit's patches and develop exploits to get into vulnerable systems.

In a joint report issued by the two organizations, Mariano Nunez, CEO of Onapsis, cited "conclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications," and warned time was of the essence, reporting "SAP vulnerabilities being weaponized in less than 72 hours since the release of patches."

For newly provisioned SAP applications in cloud environments, discovery and attack can occur in as little as three hours, the report says. However, the average time from the provisioning of a new SAP instance at cloud service provider to exploitation and compromise is just under a week.

And while, yes, patches are rapidly weaponized all the time in the information security world, it's interesting to see it quantified and highlighted by SAP.

In conjunction with the SAP/Onapsis alert, the US government's Cybersecurity and Infrastructure Agency (CISA) issued its own warning, stating "SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks."

The Feds said possible consequences of a successful attack include data theft, financial fraud, business process disruption, ransomware, and the highly undesirable "halt of all operations." Coming on the heels of the SolarWinds fiasco and recent attacks on Microsoft Exchange servers, perhaps such concern is warranted.

And given that SAP software is used at over 400,000 organizations and more than 1,000 government organizations, CISA interest in urging IT folk to try a bit harder has a certain logic to it.

The SAP/Onapsis report says that over 300 successful exploitation attempts on unprotected SAP instances have been documented since mid-2020. The attacks have made use of multiple vulnerabilities (CVEs) and insecure configurations.

That suggests organizations have actually been compromised as a result of this activity but that's not the case, SAP and Onapsis insist.

"The exploits were observed through the Onapsis Threat Intelligence Cloud and not on actual customer environments," an Onapsis spokesperson explained. "As a result, we do not have data on victims or impact on actual organizations."

Speed of software

What the security biz can provide with a bit more certainty is a timeline. For example, when the RECON flaw (CVE-2020-6287) was disclosed on July 14, 2020, proof-of-concept code surfaced on July 15, mass scanning began on July 16, and a functional public exploit appeared on July 17. That doesn't leave system administrators a lot of time to lounge around and weigh the pros and cons of applying the SAP patch.

Most of the observed attack attempts focused on the following CVEs, for which public exploits are available, mostly on GitHub: CVE-2010-5326, CVE-2018-2380, CVE-2016-3976, CVE-2016-9563, CVE-2020-6287, and CVE-2020-6207.

Onapsis did not provide attribution for any of the observed attack attempts, but did identify the general geographic origin of both automatic exploitation attempts and interactive login attempts:

• Automatic/Interactive
• US/Yemen
• South Korea/US
• Singapore/Japan, Singapore, US, Hong Kong, Taiwan
• Netherlands/Sweden
• India/US
• Singapore/Vietnam

The security firm's advice is about what you'd expect: identify any SAP applications vulnerable to these CVEs, test the fixes, and apply them pronto ... without breaking business-critical applications and lowering staff productivity, of course.

Also, don't forget to identify misconfigurations, excessive privileges, and other potential issues sooner rather than later.

It has even been thus. Sorry there's no happy ending. ®