archerix - Fotolia

Unpatched applications threaten SAP security

Cyberattacks are a significant threat to unpatched, unprotected SAP applications, according to a new threat intelligence report from SAP and Onapsis.

Security for SAP on-premises applications needs attention, and organizations that have neglected longstanding mitigation efforts, such as patching, risk serious consequences.

That's the overarching message of a new cybersecurity threat intelligence report jointly issued by SAP and Onapsis Inc. Based in Boston, Onapsis provides security services for SAP as well as other enterprise systems including those from Oracle and Salesforce.

Onapsis' research on SAP security indicates there are active cybersecurity threats targeting vulnerable SAP applications. These cyber attacks could lead threat actors to take control of unsecured SAP applications by getting around SAP security and governance measures. Possible consequences of attacks include theft of critical data, financial fraud, disruption of mission-critical business processes as well as violation of GDPR and other compliance regulations, according to the report.

The Onapsis Research Labs team of SAP security experts monitored SAP systems from mid-2020 to early 2021 and recorded more than 300 successful exploit attempts on unprotected SAP systems.

"The evidence clearly shows that cyber criminals are actively targeting and exploiting unprotected SAP applications with automated and sophisticated attacks," according to the report.

Focus on the unpatched

The research mainly focused on on-premises SAP systems that have not followed standard SAP security best practices like regularly patching systems. The research did not find any new vulnerabilities to SAP cloud SaaS applications or any new known customer breaches, said Mariano Nunez, co-founder and CEO of Onapsis.

Mariano NunezMariano Nunez

"This is about cyberattacks against unprotected, mission-critical SAP applications. It's not about vulnerabilities in SAP's cloud or SaaS infrastructure," Nunez said. "It's affecting customers that may not have applied either the latest security patches from SAP that have been available for months or even years or have not properly secured their systems based on SAP's best practices."

The Onapsis research was designed to discover how attackers may be going after SAP systems, he said.

"We went out to capture in-the-wild examples of how bad actors are exploiting unprotected SAP applications," Nunez said. "We're trying to understand how prevalent these attacks are, how sophisticated the threat actors are, who they are, and try to understand how we can stop them."

Richard PuckettRichard Puckett

The intent is to make SAP customers aware of these security threats and to make sure their systems are taking appropriate mitigation measures, said Richard Puckett, chief information security officer at SAP.

"We're in an abundance of caution looking to notify the market that if -- for whatever reason -- you've left these very serious vulnerabilities live in your environment for a very long time and not used the patches that were provided, you are potentially at risk," Puckett said.

SAP systems hold the "crown jewels" of an organization's business data, and it's vital to fill in any security gaps to keep that valuable data out of the hands of attackers, Nunez said.

Security gaps lead to vulnerable applications

Some of these gaps may occur because organizations apply patches to production environments, for example, but not to development, quality assurance or sandbox environments. Unpatched systems can lead to compromises in patched systems, as they are usually interconnected. Other gaps can arise if organizations pay attention to perimeter network security but not SAP systems, which could leave doors, such as through the SAP Solution Manager (akin to Active Directory), unprotected.

"It's an important learning and awareness for CISOs and SAP administrators to have an enough of an understanding of [vulnerabilities]," Nunez said. "You shouldn't brush this off because if you're not applying those critical mitigation activities on your critical environment, there are bad people out there that are really going after that. But it's on you as a customer to have that visibility and governance over your critical applications."

It's difficult to estimate the extent of the problem for SAP organizations, Puckett said, because SAP has only limited visibility into on-premises environments and customers don't tend to report that their systems are unpatched.

Puckett believes that most organizations are up to date on patching, but stressed the need for all to take proper steps to ensure better security.

"SAP customers with on-premises systems typically have atmospheric defenses around those systems -- network security, firewalls, [Intrusion Detection Systems] -- that would potentially compensate for unpatched environments," he said. "But we don't have the sense that there are a wide number of potential victims. I think most customers who do receive security bulletins do tend to take them seriously, but there may be situations where customers have lost sight of these systems in their environments."

The research shows that SAP attackers have sophisticated SAP skills and advanced domain knowledge of SAP applications, making unpatched applications particularly vulnerable. The report indicated that attackers have been known to patch vulnerabilities that they've exploited, deploying backdoor access to those applications and making the threat even harder to detect.

Jim O'Donnell covers ERP and other enterprise applications for SearchSAP and SearchERP.

Dig Deeper on SAP infrastructure and cloud

Data Management
Business Analytics
Content Management