Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Open Source Tool Checks SAP Systems for RECON Attack IOCs

Onapsis on Wednesday announced the release of an open source tool that helps organizations determine if their SAP systems are vulnerable to RECON attacks and checks if they may have already been targeted.

Onapsis on Wednesday announced the release of an open source tool that helps organizations determine if their SAP systems are vulnerable to RECON attacks and checks if they may have already been targeted.

RECON is the name assigned to a recently disclosed vulnerability — officially tracked as CVE-2020-6287 — that researchers at Onapsis identified in a component used by many SAP products.

The critical vulnerability can be exploited by a remote, unauthenticated attacker who has access to the targeted system to create a new SAP admin user, allowing them to gain full control of the system.

SAP released patches earlier this month, but Onapsis warned at the time that over 40,000 SAP customers could be affected and the cybersecurity company estimated that at least 2,500 systems in North America, Europe and the APAC region were exposed to attacks from the internet.

Proof-of-concept (PoC) exploit code was released by a researcher shortly after disclosure and at around the same time threat intelligence company Bad Packets reported seeing mass scanning activity targeting the RECON vulnerability.

Onapsis announced on Wednesday that it has released INSTANT RECON, an open source vulnerability assessment and indicator of compromise (IoC) scanner for CVE-2020-6287.

This free tool is designed to conduct a blackbox scan of SAP applications to determine if they are vulnerable, and it performs a basic analysis of SAP application logs in an effort to determine if the RECON vulnerability has already been exploited against the user’s organization.

“If IoCs are identified, it is strongly recommended that you perform an in-depth forensic examination of the evaluated systems (and inter-connected ones), to determine the scope and extent of a potential compromise,” Onapsis explained in the tool’s README file on GitHub.

Advertisement. Scroll to continue reading.

The company also pointed out, “There are, however, several known limitations of this tool and its usage should not be considered a guarantee that SAP applications are either not exposed to RECON (and other vulnerabilities) or that the applications have not been compromised. Several conditions can affect the state of the assessed applications and/or log files, resulting in false positives and/or false negatives.”

INSTANT RECON can be found on GitHub, but it has also been made available as a free online tool, with results of the scan being sent to users via email.

If an attacker successfully exploits the flaw, they can read or modify files and database records, which could allow them to steal personal and financial information, change financial details, disrupt operations, execute OS commands, and cover their tracks by modifying or deleting logs.

Related: Industrial Cybersecurity Firm Claroty Releases Open Source Database Parser

Related: Sophos Releases Sandboxie in Open Source

Related: Google Releases Open Source Tool for Finding File Access Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.