Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Majority of SAP Attacks Use One of Three Common Techniques

Attackers typically use one of three common techniques to compromise SAP systems at the application layer: pivoting, portal attacks, and database warehousing, according to researchers from application security firm Onapsis.

Attackers typically use one of three common techniques to compromise SAP systems at the application layer: pivoting, portal attacks, and database warehousing, according to researchers from application security firm Onapsis.

Nearly 95 percent of SAP implementations were exposed to vulnerabilities which could result in a full data breach or compromise of business processes, Onapsis Research Labs found in a recent assessment.

Leaving these systems vulnerable to attack puts the organization’s intellectual property, financial data, payment card information, customer and supplier lists, and database warehouse information at risk.

“Breaches are happening every day but still many CISOs don’t know because they don’t have visibility into their SAP applications,” said Mariano Nunez, CEO and co-founder of Onapsis.

Traditional security practices generally don’t extend to securing SAP. There are different user access requirements, business rules, and data models in play, Nunez told SecurityWeek in an earlier interview. CISOs need to gain visibility into SAP-based assets to determine what is at risk. CISOs also need to detect new attack vectors and user behavior anomalies as being indicators of compromise.

In one common attack technique, attackers pivot from a system with lower security profile to a critical system to steal customer information and payment card details, researchers said. This technique lets attackers execute remote function modules on a critical system from lower systems.

Another common technique is to exploit a vulnerability in the SAP J2EE User Management Engine to create backdoors. This way, malicious adversaries gain access to SAP Portals, Process Integration platforms, and related internal systems frequently used by customers and suppliers. Considering the rise in third – party breaches where attackers break into supplier systems to piggyback into enterprise systems, this technique pose serious risks to the organization.

The third technique executes operating system commands under the privileges of a particular user and exploits vulnerabilities in the SAP RFC Gateway. This form of database warehousing attacks target proprietary protocols and let attackers modify data stored in the database.

The trend is exacerbating with SAP HANA. “With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms now must be protected both in the cloud and on-premise,” Nunez said.

Onapsis researchers demonstrated at the recent RSA Conference how attackers could chain together these techniques to create a brand new user account on an SAP system and then access related systems to access and modify data.

Worryingly, most companies included in the Onapsis assessment spent 18 months or longer rolling out patches and updates, researchers found. Considering that SAP released 391 security patches in 2014, with half flagged as “high priority,” the delay can be disastrous for the organization. “The truth is that most patches applied are not security-related, are late or introduce further operational risk,” Nunez said.

Organizations running critical business process in SAP Business Suite need to stay up-to-date with SAP Security Notes and make sure their systems are configured correctly. Continuous monitoring will help prevent security and compliance issues.

A significant number of large enterprises worldwide–87 percent of the Global 2000–rely on SAP for critical business operations. Of the world’s 100 most valuable brands, 98 run SAP. It is easier to explain to directors and senior management why it is important to secure SAP applications because they understand how critical the systems are to their operations, Nunez said. Boards are frequently open to plans adding SAP cybersecurity to the organization’s strategy and roadmap, he said.

“The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a ‘responsibility’ gap between the SAP Operations team and the IT Security team,” Nunez said.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...