German software vendor SAP, in partnership with cyber security and compliance provider Onapsis, has warned SAP customers of active cyber threats seeking to specifically target, identify and compromise organisations running unprotected SAP applications through a variety of cyber attack vectors.
The two companies released a joint report on 6 April detailing the threats and the associated vulnerabilities, with both SAP and Onapsis strongly advising organisations to take immediate action and patch their systems.
According to the report, there are at least six vulnerabilities of note that are being exploited. These are CVE-2020-6287 (also known as RECON), CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976, CVE-2010-5326. SAP has previously released patches for all of these vulnerabilities.
However, according to SAP and Onapsis, different vulnerabilities are being actively exploited over SAP applications and combined to expand the initial compromise of the system across other targets. With respect to the combination of vulnerabilities, there are four groups, the companies said.
Group one involves vulnerabilities enabling application-level access. These vulnerabilities allow for an initial compromise of the target application, providing a user account on the system.
There are three vulnerabilities that can be placed in this category – CVE-2020-6287, CVE-2016-3976 and the brute-forcing of high-privilege users in the SAP application. The second group features vulnerabilities enabling privilege escalation from the application to the operating system (OS).
This group of vulnerabilities allows an attacker to access unrestricted OS command execution having an existing application-level user, which allows for privilege escalation on the target system. Vulnerabilities in this group include CVE-2018-2380 and CVE-2016-9563.
Group three involves vulnerabilities enabling direct OS level access. These are the vulnerabilities that allow for unrestricted direct OS-level command execution in the target SAP application. The vulnerability in this category is CVE-2020-5326.
The fourth group contains vulnerabilities allowing for cross-system compromise. These vulnerabilities support lateral movement across the landscape and are used to compromise systems additionally to the initially exploited system. The vulnerabilities in this group are CVE-2016-3976 and CVE-2020-6207.
Both SAP and Onapsis have worked in close partnership with the US Department of Homeland Security (DHS) CISA and Germany’s BSI, and are advising organisations to take immediate action to apply specific SAP patches and secure configurations, and perform compromise assessments on critical environments.
“The observed critical weaknesses being actively exploited have been promptly patched by SAP, and have been available to customers for months, and years in some cases,” Onapsis CEO Mariano Nunez said in a blog post.
“Unfortunately, both SAP and Onapsis continue to observe many organisations that have still not applied the proper mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.
“Companies that have not prioritised rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action,” he added.
According to Nunez, critical SAP vulnerabilities being weaponised in less than 72 hours of a patch release, and new unprotected SAP applications provisioned in cloud environments being discovered and compromised in less than three hours.
“Beyond the implications for individual SAP customers, orchestrated and successful attacks on unprotected SAP applications could have far-reaching consequences: with more than 400,000 organisations using SAP, including 92 per cent of the Global Fortune 2000, 77 per cent of the world’s transactional revenue touches an SAP system," he said.