Bad actors—either nation-states or criminal enterprises—are working overtime to get into your systems and take them over for their own nefarious purposes. And if you aren’t updating the security patches on your SAP products as you should, it’s kind of like going on vacation and leaving your house unlocked.

Don’t be surprised if you come back and find the place looted.

On April 6, 2021, security researchers from Onapsis (the only SAP-endorsed partner for cybersecurity and compliance), working with SAP, issued a stark alert. Bad-actor activity and techniques could lead “full control of unsecured SAP applications.”

That means if you aren’t updating the security patches on your SAP products, there is a very good chance cyber criminals could enter and take over your entire network. And that could mean a severe blow to your bottom line and reputation, along with additional time, money, and energy trying to clean up the resulting mess. Adding to the list of potential miseries, regulatory compliance for financial (Sarbanes-Oxley Act), privacy (General Data Protection Regulation), and other mandates may be at risk, as unpatched and misconfigured SAP systems present a deficiency in IT controls that would result in audit and compliance violations and penalties, the report states.

How big a deal is this?

Nearly 80% of the world’s transactional revenue touches an SAP system, according to the alert. And more than 90% of the Forbes Global 2000 have standardized on SAP to “power their operations and fuel the global economy.”

Increasing Challenge

As with any online-facing system, SAP operates in an environment where hackers have the motivation and skills to stay ahead of efforts to mitigate their harm.

Threat actors possess the “domain expertise to carry out sophisticated attacks specific to mission-critical SAP applications,” according to the report, “directly targeting sensitive data and critical processes.”

Over 300 successful exploitations were observed over the course of this study, targeting vulnerabilities specific to SAP systems. Attackers attempted accessing SAP systems to modify configurations and users and exfiltrate business information.

Adding to the security challenges, exploit attempts have been observed as soon as 72 hours from the release of a patch, “proving diligent and rapid patch prioritization is required or countermeasures applied if patches cannot timely be applied,” the report states.

New unprotected SAP applications provisioned in cloud environments were discovered and attacked in less than three hours, stressing the need to “shift left” and ensure new mission-critical applications are provisioned securely from day one.

Organizations using SAP NetWeaver, especially versions 7.30, 7.31, 7.40, 7.50, should be “really concerned,” said Cody Bernardy, founder and senior security engineer focusing on vulnerability management for Blackburn Security, based in Spokane, Washington.

“Not only are nation states [advance persistent threats] targeting this specific application—the ease of exploiting it by anyone is also high,” Bernardy said. “This vulnerability is rated a CVSSv3 10.0, which is highest rating of a vulnerability.”

What Should You Do to Protect Yourself?

SAP and Onapsis recommend that organizations take the following steps to mitigate risk, said Richard Puckett, SAP chief information security officer:

Immediately perform a compromise assessment on SAP applications that are still exposed to vulnerabilities, or that have not been promptly secured upon the release of the relevant SAP security patches, he said. Internet-facing SAP applications should be prioritized.

  • Immediately assess all applications in the SAP environment for risk, and apply the relevant SAP security patches and secure configurations.
  • Immediately assess SAP applications for the existence of misconfigured and/or unauthorized high-privilege users, and perform a compromise assessment on at-risk applications.
  • If assessed SAP applications are currently exposed and mitigations cannot be applied in a timely manner, compensating controls should be deployed and activity monitored to detect any potential threat activity until such mitigations are implemented.

Is My Organization Prepared for Future Threats?

When it comes to making sure a company’s personnel are prepared to prevent future threats, SAP and Onapsis tell AUSG that companies should pursue the following, according to Puckett.

Risk, cybersecurity, and SAP leaders should implement a specific mission-critical application protection program as part of their overall cybersecurity and compliance strategy to protect these applications effectively and comprehensively.

Organizations should regularly conduct cyber risk assessments.

“While many organizations believe traditional security approaches are enough to protect mission-critical ERP applications, they are generally out of scope for security teams—creating a cybersecurity blind spot,” said Puckett. “A cybersecurity assessment provides a detailed report of existing vulnerabilities, code, or transport security issues and IT controls deficiencies, highlighting potential exploits and compliance violations. Organizations can use these assessments to develop, prioritize, and expedite remediation plans.”

SAP also offers an array of support services and even hosted infrastructure that customers can take advantage of to assist with regular maintenance and upkeep of their services.

“There are even options to migrate to the cloud using RISE with SAP to further reduce that burden of daily management and upkeep,” said Puckett. “Additionally, Onapsis has developed and released updated open-source tools to assess at-risk SAP applications for vulnerabilities and Indicators of Compromise—helping to support defenders within the security community. These tools are available to download for free at the Onapsis GitHub repository.”

“Finally, security operations teams should deploy threat-monitoring capabilities integrated into SIEM systems and workflows such that they have eyes on the activity of insiders as well as threat actors,” Puckett said.

Should I Be Worried?

SAP users “will not achieve anything by being worried,” said Robert Nunley, senior security architect for Crimson Resolve, a cybersecurity firm based in Bradenton, Florida. “Rather, all users, SAP included, should be informed of the threats facing them and the business technologies they use.”

Those SAP users, he said, “are the first line of an organization’s defense, providing early warning capabilities of potential attacks, early detection of suspicious activity, and can bolster an organization’s security posture by practicing good security hygiene in both their professional and personal lives.”

Be sure to register for ASUG Best Practices: SAP for Supply Chain. On May 11 and 12, hear from customers, experts, and thought leaders on how the past year has challenged and changed supply chains, and what technologies companies are using to bolster their supply chains.