Security Experts:

Majority of SAP Attacks Use One of Three Common Techniques

Attackers typically use one of three common techniques to compromise SAP systems at the application layer: pivoting, portal attacks, and database warehousing, according to researchers from application security firm Onapsis.

Nearly 95 percent of SAP implementations were exposed to vulnerabilities which could result in a full data breach or compromise of business processes, Onapsis Research Labs found in a recent assessment.

Leaving these systems vulnerable to attack puts the organization's intellectual property, financial data, payment card information, customer and supplier lists, and database warehouse information at risk.

"Breaches are happening every day but still many CISOs don’t know because they don’t have visibility into their SAP applications," said Mariano Nunez, CEO and co-founder of Onapsis.

Traditional security practices generally don't extend to securing SAP. There are different user access requirements, business rules, and data models in play, Nunez told SecurityWeek in an earlier interview. CISOs need to gain visibility into SAP-based assets to determine what is at risk. CISOs also need to detect new attack vectors and user behavior anomalies as being indicators of compromise.

In one common attack technique, attackers pivot from a system with lower security profile to a critical system to steal customer information and payment card details, researchers said. This technique lets attackers execute remote function modules on a critical system from lower systems.

Another common technique is to exploit a vulnerability in the SAP J2EE User Management Engine to create backdoors. This way, malicious adversaries gain access to SAP Portals, Process Integration platforms, and related internal systems frequently used by customers and suppliers. Considering the rise in third - party breaches where attackers break into supplier systems to piggyback into enterprise systems, this technique pose serious risks to the organization.

The third technique executes operating system commands under the privileges of a particular user and exploits vulnerabilities in the SAP RFC Gateway. This form of database warehousing attacks target proprietary protocols and let attackers modify data stored in the database.

The trend is exacerbating with SAP HANA. "With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms now must be protected both in the cloud and on-premise,” Nunez said.

Onapsis researchers demonstrated at the recent RSA Conference how attackers could chain together these techniques to create a brand new user account on an SAP system and then access related systems to access and modify data.

Worryingly, most companies included in the Onapsis assessment spent 18 months or longer rolling out patches and updates, researchers found. Considering that SAP released 391 security patches in 2014, with half flagged as "high priority," the delay can be disastrous for the organization. "The truth is that most patches applied are not security-related, are late or introduce further operational risk," Nunez said.

Organizations running critical business process in SAP Business Suite need to stay up-to-date with SAP Security Notes and make sure their systems are configured correctly. Continuous monitoring will help prevent security and compliance issues.

A significant number of large enterprises worldwide--87 percent of the Global 2000--rely on SAP for critical business operations. Of the world's 100 most valuable brands, 98 run SAP. It is easier to explain to directors and senior management why it is important to secure SAP applications because they understand how critical the systems are to their operations, Nunez said. Boards are frequently open to plans adding SAP cybersecurity to the organization’s strategy and roadmap, he said.

“The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a ‘responsibility’ gap between the SAP Operations team and the IT Security team,” Nunez said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.