EC Cloud

Mitigating Active Cyberattacks on SAP bugs in realtime | Extreme Compute

Written by Lokesh Mandapati | Apr 12, 2021 5:00:00 AM

Sensitive vulnerabilities in unpatched SAP software are being widely exploited by cyberattackers around the world, according to researchers. On Tuesday, a study was published on the activities, which include the weaponization of security vulnerabilities with CVSS severity scores of up to 10, the highest possible.

SAP technologies are used by over 400,000 business organizations around the world and  between June 2020 and March 2021, at least 1,500 SAP application-related attack attempts were tracked, with at least 300 of them being successful. Enterprise resource planning, customer relationship management tools, and supply chain processes are among the systems targeted in the attacks.

Who is in jeopardy?

Worse still, as SAP noted in its advisory, the continuing attacks may have far-reaching consequences: It's these applications that 92 percent of the Forbes Global 2000 use to power their operations and drive the global economy. Pharmaceutical firms, vital infrastructure and utility companies, food manufacturers, security companies, and many others are among these entities. According to experts, government agencies should pay special attention to the recent attacks. When updates and fixes are not implemented in a timely manner, these networks become increasingly vulnerable, leaving them wide open to interested hackers, and the technology industry is another hot target for attacks.

Independent software vendors (ISVs) and technology firms have a comparatively higher window of exposure, according to reports. Since some ISVs and technology companies are deficient in security rigor, they must reconsider their security goals, as they can eventually pass on security obligations to the companies that use the ISV to create products for their customers.

Active Attacks in the open
According to the alert, the attacks are brute-forcing high-privilege SAP user accounts and exploiting a slew of known vulnerabilities, including CVE-2020-6287, CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976, and CVE-2010-5326.

CVSS: 10 CVE-2020-6287
This remotely exploitable bug in SAP NetWeaver/Java, also known as RECON, was caused by a failed authentication check. This vulnerability requires no privileges to exploit, and when exploited, it results in the development of admin accounts and complete device hijacking.

CVSS 10 CVE-2020-6207
This crucial bug, which affects SAP Solution Manager (SolMan) version 7.2, allows attackers to take complete administrative control of an organization's SAP setup. Following a patch provided by SAP on March 10, 2020, proof-of-concept code for the security vulnerability was announced. After the publication of the working PoC exploit code, exploit attempts have increased significantly.


CVSS 6.6 for CVE-2018-2380
This older vulnerability affects the vendor's SAP NetWeaver-based CRM solution and can be exploited to conduct privilege escalation and command execution, allowing for lateral movement across a corporate network.

CVSS 6.4 CVE-2016-9563

This vulnerability, which was patched in August 2016, affects a feature in SAP NetWeaver/JAVA version 7.5, allowing for remote but low-privilege authenticated attacks.

CVSS 7.5 for CVE-2016-3976
This security vulnerability, which was also discovered in SAP NetWeaver/JAVA and patched in March 2016, allows remote attackers to read arbitrary files through directory traversal sequences, resulting in data leaks and potentially privilege escalation if they have access to the right resources.

CVSS 10 CVE-2010-5326
A critical vulnerability in SAP NetWeaver Application Server/JAVA platforms triggered by an authentication failure in the Invoker Servlet. As a result of the security vulnerability, attackers will take complete control of SAP Business Processes.

According to the reports, attempts at chaining vulnerabilities to gain privilege escalation for OS-level access were found, broadening the possible effect beyond SAP systems and applications. Surprisingly, cyber-attackers are patching exploited vulnerabilities after gaining access to a victim's environment in certain instances. This behavior demonstrates the threat actors' advanced domain awareness of SAP applications, as well as their ability to reconfigure these devices using manufacturer patches. Threat actors often use this strategy to install backdoors on apparently patched systems in order to preserve persistence or avoid detection.

Who is responsible for the SAP Attacks?
Multiple organizations tend to be involved in the activity, which appears to be organized through large swaths of infrastructure. Attackers are triggering exploitation from different source schemes than the ones used to execute subsequent manual logins, implying that organized groups and/or actors are exploiting widespread attack infrastructure. Although this activity is typical when studying operating system and network-based attacks, this data shows that the same strategy is used when targeting mission-critical applications, as these actors initiate attacks and escalate privileges using TOR nodes and distributed VPS infrastructures. Hong Kong, India, Japan, the Netherlands, Singapore, South Korea, Sweden, Taiwan, the United States, Vietnam, and Yemen are among the countries involved.

How do I avoid being attacked?
Patching bugs is the most effective way to overcome these types of assaults. All web-facing accounts should always have unique passwords to prevent automated brute-force attacks, and any applications that don't need to be exposed to the public web must be taken offline. Many organizations, however, have yet to implement the necessary mitigations, causing unprotected SAP systems to continue to run and, in many cases, remain vulnerable to cyber-attacks via the internet.

Although deploying security updates in a timely manner is important for reducing the likelihood of significant, well-known vulnerabilities, patching will only address issues that have already occurred. With cybercriminals patching the vulnerabilities that enable them to operate, one must find a way to detect malicious activity. With breaches going on an alarming rate, it is crucial for organizations to seek out professional guidance in securing their environment and need to have an updated security system in place. Learn more on how to avoid such attacks and implement secure operations in your organization.