Connect with us

Hi, what are you looking for?


Application Security

SAP Applications Increasingly in Attacker Crosshairs, Report Shows

Malicious hackers are targeting SAP applications at an alarming pace, according to warnings from Onapsis and Flashpoint.

SAP vulnerability patches

Malicious hackers are showing an alarmingly increased interest in compromising SAP applications and data at targeted organizations, according to a new report from Onapsis and Flashpoint .

This interest appears fueled by a migration of SAP applications to the cloud, and an increase in adversaries ability to target misconfigurations and missing security patches in both cloud and on-premises deployments.

Over the past three years, ransomware attacks against SAP systems went up 400%, the same as the price brokers are willing to pay for exploits targeting SAP vulnerabilities, the report said [PDF]. On hacker forums, chatter related to SAP flaws and exploits went up 490%, while discussions related to SAP-specific cloud and web services increased 220%.

“The facts are clear: unprotected cloud, hybrid and on-premise SAP applications are being attacked by malicious threat actors for data theft, financial fraud and – increasingly – ransomware,” Onapsis said.

High-profile threat actors such as APT10, FIN7, FIN13, and Cobalt Spider have been observed exploiting SAP vulnerabilities in attacks targeting organizations across various industries.

APT10 has targeted many sectors to exfiltrate financial statements from SAP applications; Cobalt Spider mainly targets finance, gaming, hospitality, and retail; FIN7 is known for targeting payment systems across industries; and FIN13 exploits SAP vulnerabilities to compromise organizations in financial, hospitality, and retail verticals.

The increased adversary interest in compromise SAP solutions is not surprising. The enterprise software maker has over 400,000 customers globally, including 99 of the 100 largest companies in the world, and threat actors seek high-profile targets hoping for high returns.

Following the increase in dark web conversations on SAP, the prices for exploits went up significantly as well. Exploit acquisition firms are offering tens of thousands of dollars for remote code execution (RCE) flaws and exploits in SAP products.

Advertisement. Scroll to continue reading.

Earlier this month, Crowdfense announced it would pay up to $250,000 for full-chain RCE exploits in SAP products, “or previously unreported, exclusive capabilities”.

On the darkweb, threat actors are discussing not only SAP vulnerabilities, but also actual compromising involving SAP products, Onapsis and Flashpoint said.

The security firms have identified multiple SAP flaws for which patches have been released that are actively exploited by ransomware groups and other threat actors, such as CVE-2018-2380, which was also added to the CISA KEV (Known Exploited Vulnerabilities) catalog.

“This evidence further reinforces the need to ensure SAP applications are not only protected at the operating system / endpoint level, but also at the application level validating that SAP Security Notes, configurations, interfaces, third-party transports and user authorizations are properly secured,” the report added.

Related: SAP’s April 2024 Updates Patch High-Severity Vulnerabilities

Related: SAP’s First Patches of 2024 Resolve Critical Vulnerabilities

Related: CISA Warns of Windows Streaming Service Vulnerability Exploitation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights