SAP systems increasingly targeted by cyber attackers

Long viewed as an opaque black box, attackers are increasingly focused upon hacking into enterprise systems from SAP, according to research presented at Black Hat Europe 2024.

A review of four years of threat intelligence data, presented Friday at Black Hat by Yvan Genuer, a senior security researcher at Onapsis, reports a spike in hacker interest in breaking into enterprise resource planning (ERP) systems from SAP in 2020 that was sustained until the end of 2023.

The vast majority (87%) of the Forbes Global 2000 list of the world’s biggest companies use SAP, according to the enterprise software firm, with the technology handling 77% of the world’s transaction revenue.

ERP-focused cybersecurity firm Onapsis and threat intel research partner Flashpoint analyzed activities on criminal forums, ransomware incidents, chat sites, and ransomware group sites.

Diverse groups including cybercrime groups (FIN13 “Elephant Beetle”, Russian cybercrime group FIN7, and Cobalt Spider), cyber espionage crews (China’s APT10) and script kiddies are all actively targeting SAP-related vulnerabilities.

SAP exploits are being sold by criminal groups

The CVE-2020-6287 (RECON) and CVE-2020-6207 (SAP Solution Manager missing authentication) vulnerabilities lit the touch paper on discussions about how best to exploit SAP systems.

Onapsis cited an example where a purported exploit on SAP Secure Storage was offered for sale at $25,000 in August 2020. Buyers offered to pay $50,000 for SAP NetWeaver pre-authentication remote code execution or authentication bypass exploits in September 2020. Later posts offered up to $250,000 for working exploits against SAP systems.

Active discussions in cybercriminal forums about SAP-specific Cloud and Web services have increased 220% from 2021 to 2023, according to Onapsis.

Cybercriminals frequent these forums to discuss details on how to exploit SAP vulnerabilities as well as exchange tips and tricks on monetizing SAP compromises and how to execute attacks against potential victims.

In parallel, there has been a reported fivefold (400%) increase in ransomware incidents involving SAP systems since 2021. Unpatched SAP vulnerabilities are also being exploited and used in ransomware campaigns.

Public critical exploits are four years old, hence they are losing their effectiveness, so threat actors are keen to get their hands on “fresh” weapons, according to Onapsis. Publicly disclosed vulnerabilities in SAP applications such as CVE-2021-38163 and CVE-2022-22536, among others are also being targeted.

Hackers are feasting on resolved but unpatched vulnerabilities

Many attacks leverage known but unpatched vulnerabilities within SAP systems.

The demand for SAP zero-days (unpatched vulnerabilities) from diverse groups is only growing because they represent a potentially huge return on investment, according to Onapsis. “SAP in no longer a black box — consider SAP applications as targeted,” Onapsis’ Genuer warned, adding that not only internet-exposed systems were being hacked.

Onapsis concluded that the complexity of SAP systems and their integration into broader business processes create unique security challenges. Enterprises need to prioritize regular patch management, vulnerability assessments, and the adoption of advanced threat intelligence practices to stay ahead of potential threats, it advised.

Independent third-party experts agreed with Oanapis’s conclusions that SAP-based systems have become an increased focus of interest to attackers.

“SAP systems are prime targets for attackers due to their critical role in managing core operations for large enterprises, storing sensitive data such as financial transactions, intellectual property, and personal information,” according to Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest. “Developing an exploit that can decrypt secure storage and facilitate lateral movement within SAP systems indicates a high level of technical expertise and effort, thus justifying a high price.”

For example, ReliaQuest discovered an exploit targeting SAP systems that was being advertised on a prominent cybercriminal forum for nearly $25,000 (payable in Bitcoin) and initially listed in August 2020.

The exploit purportedly facilitates lateral movement within targeted systems. “The post claims the exploit can use SAP Secure Storage to uncover credentials, elevate privileges, and eventually compromise additional SAP systems beyond the initial target,” according to ReliaQuest.

SAP Secure Storage is essential for managing sensitive data and credentials within an SAP environment, making any exploit for SAP systems highly valuable for anyone seeking unauthorized access or elevated privileges.

John Leyden