This blog was written as part of our partnership with SAP®.
Have you ever received an email from a company you do business with about a data breach impacting your personal data? Or seen a headline about a major corporate breach and been concerned about what it may mean for you as a customer? As cyber threats continue to increase, more and more organizations are disclosing cybersecurity breaches where perimeter defenses failed, critical data was taken, and compliance was compromised.
What is almost never disclosed in these announcements, however, are the specific applications attackers gained access to. Often, it’s a mission-critical application in areas such as ERP, CRM, SCM, SRM, PLM, or human capital management. Sometimes, it’s business intelligence that supports essential business functions and processes of the world’s largest commercial and governmental organizations, including supply chain, manufacturing, finance, sales and services, human resources and others. These applications are the crown jewels of their operations, regarded without exception as high-value assets (HVAs) that must be protected.
According to threat intelligence issued by SAP and Onapsis, there’s a critical cybersecurity blind spot impacting how many organizations protect their mission-critical SAP applications. At the same time, it’s clear that threat actors are active, capable, and widespread. This is evidenced by more than 300 automated exploitations leveraging seven SAP-specific attack vectors and more than 100 hands-on-keyboard sessions from a wide range of threat actors. This is clear evidence that today’s threat actors have sophisticated SAP domain knowledge, including knowledge of the implementation of SAP patches post-compromise.
Successful attacks of SAP systems could have far-reaching consequences for individual enterprises, entire industries, and societies worldwide. Did you know that:
- SAP applications are widely deployed and used for mission-critical operations worldwide by organizations in essential industries such as food distribution, medical device manufacturing, pharmaceuticals, critical infrastructure, government and defense, and more
- SAP customers distribute 78% of the world’s food, manufacture 82% of the world’s medical devices, and include 18 of the world’s 20 major vaccine producers, which use SAP software to manage everything from manufacturing to controlled distribution to administration and post vaccine monitoring
- 77% of the world’s transaction revenue touches an SAP system
- 64% of SAP’s large enterprise sector customers are considered part of the critical infrastructure, as defined by the U.S. Department of Homeland Security
Think about your own organization: Imagine, for example, that an attacker accessed a vulnerable SAP system with maximum administrator privileges, bypassing all access and authorization controls. In this scenario, the attacker could gain full control of the affected SAP system, including its underlying business data and processes. With administrative access, the attacker would be able to read/modify/delete every record, file, and report in the system, as well steal personally identifiable information (PII); read, modify or delete financial records; or change banking details.
If your mission-critical SAP applications are governed by specific industry and governmental regulations or used to meet financial and other compliance requirements (such as Sarbanes-Oxley requirements), having enforced controls bypassed by bad actors can result in serious regulatory and compliance deficiencies. For example, if you have known vulnerabilities and misconfigurations in SAP systems that can allow unauthenticated access and/or the creation of high-privileged user accounts, you would have a deficiency in IT controls that would trigger an audit failure and violate compliance. In such cases, you’d likely need to disclose the violation, pay for expensive third-party audits and penalties, and face fines and legal action.
In light of this information, there are two takeaways for every SAP customer: First, the window for defenders of your business is small. Critical SAP vulnerabilities are being weaponized in less than 72 hours of a patch release, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours. And second, Onapsis can help. Only Onapsis provides visibility and proven protection for the business-critical application layer—whether on-premises, hybrid or cloud—so you can identify and understand risk, prioritize remediation, respond immediately to new threats, meet compliance and reduce the overall attack surface.
We highly encourage you to download and read the full threat report to learn more. To support SAP customers that want to engage in further investigation, threat remediation and additional post- compromise security monitoring:
- Onapsis is offering a Free Rapid Assessment, as well as a three-month free subscription to The Onapsis Platform for Cybersecurity and Compliance (provided in partnership with SAP).
- Attend our session at SAPPHIRE NOW, “New Threat Intel: Attacks on Mission-Critical SAP Applications.” Look for session FIN606.
For more information, please contact Onapsis at [email protected].