Search This Blog

Showing posts with label SAP. Show all posts

Active Cyber Attacks on Mission-Critical SAP Apps

 

Security researchers are warning about the arrival of attacks targeting SAP enterprise applications that have not been updated to address vulnerabilities for which patches are available, or that utilize accounts with weak or default passwords. 

Over 400,000 organizations worldwide and 92% of Forbes Global 2000 use SAP's enterprise apps for supply chain management, enterprise resource planning, product lifecycle management, and customer relationship management.

According to a study released jointly by SAP and Onapsis, threat actors launched at least 300 successful attacks on unprotected SAP instances beginning in mid-2020. Six vulnerabilities have been exploited, some of which can provide complete control over unsecured applications. Even though SAP had released fixes for all of these flaws, the targeted companies had not installed them or were using unsecured SAP user accounts. 

"We're releasing the research Onapsis has shared with SAP as part of our commitment to help our customers ensure their mission-critical applications are protected," Tim McKnight, SAP Chief Security Officer, said. 

"This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments, and proactively assessing them for signs of compromise." Researchers also observed attackers targeting six flaws, these flaws, if exploited, can be used for lateral movement across the business network to compromise other systems. 

The threat actors behind these attacks have exploited multiple security vulnerabilities and insecure configurations in SAP applications in attempts to breach the targets' systems. In addition, some of them have also been observed while chaining several vulnerabilities in their attacks to "maximize impact and potential damage."

According to an alert issued by CISA, organizations impacted by these attacks could experience, theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware, and halt of all operations. 

Patching vulnerable SAP systems should be a priority for all defenders since Onapsis also found that attackers start targeting critical SAP vulnerabilities within less than 72 hours, with exposed and unpatched SAP apps getting compromised in less than three hours. 

Both SAP and Onapsis recommended organizations to protect themselves from these attacks by immediately performing a compromise assessment on SAP applications that are still exposed to the targeted flaws, with internet-facing SAP applications being prioritized. 

Also, companies should assess all applications in the SAP environment for risk as soon as possible and apply the relevant SAP security patches and secure configurations; and assess SAP applications to uncover any misconfigured high-privilege user accounts.

"The critical findings noted in our report describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years," said Onapsis CEO Mariano Nunez.

"Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action" Nunez added.

SAP Issued Warning and Updates Regarding the Serious Flaws with the Code Injection

 

A German multinational software corporation SAP ( Systems Applications and Products in Data Processing ) is known for developing software solutions that work on managing business operations as well as customer relations. SAP is the name of their software as well as of the company that works on this technology. SAP provides “future-proof Cloud ERP (Enterprise Resource Planning) solutions that will power the next generation of business.” With its advanced capabilities, SAP can boost your organization's efficiency and productivity by automating repetitive tasks, making better use of your time, money, and resources. 

SAP has published some 14 new updates or the Security Note on the 2020 December Patch Day. Whereas in January 2021 they published another set of 7 new Security Notes, later providing their new updates as well. Five of the seven have the highest severity rate of the Hot News. Later in the month, they made a proclamation where they published 10 advisories to a document of flaws ad fixes for a range of serious security vulnerabilities. In the congregation of asserted vulnerabilities, the most important issue bears a CVSS score of 9.9 in the SAP Business Warehouse. 

 The very first note addressed CVE-2021-21465 which according to SAP is multiple issues in the Database Interface. These bugs are an SQL Injection with a missing authorization check which should have featured a CVSS score of 6.5. A SQL Injection is basically a code injection technique that might at times destroy the database interface. One of the most common hacking technique used by hackers is SQL Injection. In the SQL Injection, another thing that was missing was Onapsis, a firm that secures Oracle and SAP applications. These missing authorization checks would easily exploit to read any table of a database. 

 Mentioning that minimum privileges are required for successful exploitation, Onapsis in a blog quoted, “An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” SAP decided to fix such bugs b disabling the function module and applying the patches that will result in abandoning of all the applications that call this function module. 

 Another serious issue, other than the aforementioned issue, is a code injection flaw in both Business Warehouse and BW/4H4NA , that addresses as CVE-2021-21466. This issue is a result of insufficient input validation. Such flaws are misused to inject malicious code that gets stored persistently as a repot. These issues potentially affect the confidentiality, integrity, and availability of systems. The remaining three from the total five updates are fixes for the programs released in 2018 and 2020. 

 Further SAP added as a warning, “An issue in the binding process of the Central Order service to a Cloud Foundry application” that could have allowed “unauthorized SAP employees to access the binding credentials of the service”.