Malicious hackers are showing an alarmingly increased interest in compromising SAP applications and data at targeted organizations, according to a new report from Onapsis and Flashpoint .
This interest appears fueled by a migration of SAP applications to the cloud, and an increase in adversaries ability to target misconfigurations and missing security patches in both cloud and on-premises deployments.
Over the past three years, ransomware attacks against SAP systems went up 400%, the same as the price brokers are willing to pay for exploits targeting SAP vulnerabilities, the report said [PDF]. On hacker forums, chatter related to SAP flaws and exploits went up 490%, while discussions related to SAP-specific cloud and web services increased 220%.
“The facts are clear: unprotected cloud, hybrid and on-premise SAP applications are being attacked by malicious threat actors for data theft, financial fraud and – increasingly – ransomware,” Onapsis said.
High-profile threat actors such as APT10, FIN7, FIN13, and Cobalt Spider have been observed exploiting SAP vulnerabilities in attacks targeting organizations across various industries.
APT10 has targeted many sectors to exfiltrate financial statements from SAP applications; Cobalt Spider mainly targets finance, gaming, hospitality, and retail; FIN7 is known for targeting payment systems across industries; and FIN13 exploits SAP vulnerabilities to compromise organizations in financial, hospitality, and retail verticals.
The increased adversary interest in compromise SAP solutions is not surprising. The enterprise software maker has over 400,000 customers globally, including 99 of the 100 largest companies in the world, and threat actors seek high-profile targets hoping for high returns.
Following the increase in dark web conversations on SAP, the prices for exploits went up significantly as well. Exploit acquisition firms are offering tens of thousands of dollars for remote code execution (RCE) flaws and exploits in SAP products.
Earlier this month, Crowdfense announced it would pay up to $250,000 for full-chain RCE exploits in SAP products, “or previously unreported, exclusive capabilities”.
On the darkweb, threat actors are discussing not only SAP vulnerabilities, but also actual compromising involving SAP products, Onapsis and Flashpoint said.
The security firms have identified multiple SAP flaws for which patches have been released that are actively exploited by ransomware groups and other threat actors, such as CVE-2018-2380, which was also added to the CISA KEV (Known Exploited Vulnerabilities) catalog.
“This evidence further reinforces the need to ensure SAP applications are not only protected at the operating system / endpoint level, but also at the application level validating that SAP Security Notes, configurations, interfaces, third-party transports and user authorizations are properly secured,” the report added.
Related: SAP’s April 2024 Updates Patch High-Severity Vulnerabilities
Related: SAP’s First Patches of 2024 Resolve Critical Vulnerabilities
Related: CISA Warns of Windows Streaming Service Vulnerability Exploitation