Six vulnerabilities discovered in SAP applications since 2011 are actively exploited by malicious. According to recent threat analysis attackers have gained an expert understanding of SAP applications making the automated exploitation of misconfigured systems an easier enterprise.
- CVE-2020-6287 ( RECON): This vulnerability allows unauthenticated attackers to take control of a system remotely.
- CVE-2020-6207: This vulnerability also enables malicious actors to take over a vulnerable system remotely, sometimes with the help of a published PoC.
- CVE-2018-2380: This is a privilege escalation vulnerability that allows if successful for remote code execution, accessing data and lateral movement among other exploitation.
- CVE-2016-95: Attackers can exploit this bug to trigger denial-of-service (DoS) states and gain unauthorized access to sensitive information.
- CVE-2016-3976: This is also a privilege escalation vulnerability which has published exploits showing threat actors how to compromise vulnerable systems.
- CVE-2010-5326: This vulnerability allows for remote code execution, which, if successful can lead attackers to gain access and control over sensitive data and processes.
Brute-force attacks aimed at privileged SAP user accounts have been detected as well. Attempts and attacks exploiting these vulnerabilities have been observed by Onapsis revealing yet unpatched applications. In some cases attackers who gain initial access will patch the system themselves while keeping a backdoor to perform further malicious activities like stealing data, ransomware attacks, disrupting the victim’s operations, fraud etc.
RECOMMENDED SOLUTION
- Onapsis has made available a number of tools on GitHub for the detection of compromise on vulnerable applications
- For customers who did not patch their applications right away it is strongly recommended that they conduct an assessment of compromise and update their SAP services with the appropriate corrections.(#2934135, #2890213, #2547431, #2296909, #2234971, #1445998 – SAP account needed to access the links)
- Conduct a risk and a compromise assessment of the SAP environment and ensure there are no anomalies in the high privilege account users
POSSIBLE MITIGATION
- If misconfigured systems cannot be immediately patched, customers must setup threat detection solutions to monitor anomalies until they fully update their applications.
Sources : CISA, Onapsis, SAP, GitHub, Bleeping Computer,