Open Source Tool Checks SAP Systems for RECON Attack IOCs

Onapsis on Wednesday announced the release of an open source tool that helps organizations determine if their SAP systems are vulnerable to RECON attacks and checks if they may have already been targeted.

RECON is the name assigned to a recently disclosed vulnerability — officially tracked as CVE-2020-6287 — that researchers at Onapsis identified in a component used by many SAP products.

The critical vulnerability can be exploited by a remote, unauthenticated attacker who has access to the targeted system to create a new SAP admin user, allowing them to gain full control of the system.

SAP released patches earlier this month, but Onapsis warned at the time that over 40,000 SAP customers could be affected and the cybersecurity company estimated that at least 2,500 systems in North America, Europe and the APAC region were exposed to attacks from the internet.

Proof-of-concept (PoC) exploit code was released by a researcher shortly after disclosure and at around the same time threat intelligence company Bad Packets reported seeing mass scanning activity targeting the RECON vulnerability.

Onapsis announced on Wednesday that it has released INSTANT RECON, an open source vulnerability assessment and indicator of compromise (IoC) scanner for CVE-2020-6287.

This free tool is designed to conduct a blackbox scan of SAP applications to determine if they are vulnerable, and it performs a basic analysis of SAP application logs in an effort to determine if the RECON vulnerability has already been exploited against the user’s organization.

“If IoCs are identified, it is strongly recommended that you perform an in-depth forensic examination of the evaluated systems (and inter-connected ones), to determine the scope and extent of a potential compromise,” Onapsis explained in the tool’s README file on GitHub.

The company also pointed out, “There are, however, several known limitations of this tool and its usage should not be considered a guarantee that SAP applications are either not exposed to RECON (and other vulnerabilities) or that the applications have not been compromised. Several conditions can affect the state of the assessed applications and/or log files, resulting in false positives and/or false negatives.”

INSTANT RECON can be found on GitHub, but it has also been made available as a free online tool, with results of the scan being sent to users via email.

If an attacker successfully exploits the flaw, they can read or modify files and database records, which could allow them to steal personal and financial information, change financial details, disrupt operations, execute OS commands, and cover their tracks by modifying or deleting logs.

Related: Industrial Cybersecurity Firm Claroty Releases Open Source Database Parser

Related: Sophos Releases Sandboxie in Open Source

Related: Google Releases Open Source Tool for Finding File Access Vulnerabilities