On April 6, 2021, US-CERT issued an urgent alert warning about an ongoing malicious campaign that leverages old vulnerabilities in mission-critical SAP applications to target organizations worldwide. According to security experts, threat actors apply a variety of techniques, tactics, and procedures to target insecure instances. The successful attack might result in full system compromise, sensitive corporate data dumping, and crucial business processes disruption.
According to the joint report by SAP and Onapsis Research Labs, threat actors perform high-privilege SAP user accounts brute-forcing and leverage a variety of known flaws (CVE-2020-6287, CVE-2016-3976, CVE-2020-6207, CVE-2016-9563, CVE-2020-5326, CVE-2016-3976) for initial compromise, privilege escalation, command execution, and lateral movement across the compromised systems. Three of these flaws (CVE-2020-6287, CVE-2016-3976, CVE-2020-6207) possess a CVSSv3 score of 10.0, being a highly critical threat to SAP systems and business applications. The rest of the flaws are high- and medium-severity issues that are also serving well for achieving the campaign’s malicious goals.
To expand the malicious capabilities and increase the scale of compromise, adversaries chain the vulnerabilities during the attacks against vulnerable SAP systems. The Onapsis report highlights one of these intrusions, during which hackers exploited CVE-2020-6287 to create an admin user and log in to the targeted system with the highest privileges. Then, malicious actors leveraged CVE-2018-2380 for shell upload and used CVE-2016-3976 to access login credentials for high-privileged accounts and core databases. Notably, the whole malicious operation took less than 90 minutes.
Onapsis experts believe that malicious activity related to the SAP attack originates from a widespread infrastructure managed by coordinated threat groups. Adversaries rely on the same approach while performing OS intrusions, network-based attacks, and key business app compromise. Notably, the malicious activity is registered in multiple countries around the globe, including Hong Kong, Japan, India, the US, Sweden, Taiwan, Yemen, and Vietnam.
The coordinated actions are mainly aimed at reconnaissance, initial access, persistence, privilege escalation, evasion, and command and control of SAP systems, including financial, human capital management, and supply chain applications.
The attackers are continuously going after new vulnerabilities in SAP applications, being extremely fast at weaponizing them. The Onapsis report states that it takes hackers from 3 to 72 hours after the patch release to produce working exploits. In a view that many businesses fail to secure their installations timely, a threat to mission-critical SAP apps is persistent and ongoing.
Over 400,000 enterprises worldwide use SAP applications to manage their crucial business processes. The list includes leading pharmaceutical, utility, critical infrastructure, defense, governmental, and other high-profile organizations. Estimated, 92% of Forbes Global 2000 list relies on SAP systems to boost their daily operations. Furthermore, experts note that over 77% of the world’s transactional revenue touches SAP products. Therefore, the ongoing SAP attack poses a big risk to the global economy.
Although SAP hasn’t disclosed any direct customer-related breaches tied to this malicious campaign, security practitioners from Onapsis registered approximately 1,500 attacks against SAP applications during June 2020 – March 2021. At least 300 of them were successful and reached the malicious goal.
To detect SAP vulnerabilities exploitation and secure organizational environments, users are urged to perform a compromise assessment of their SAP applications and check whether all instances are fully patched against the existing flaws. All the vulnerabilities under fire are rather old, with a full set of patches and mitigations already available. Also, SAP customers are prompted to secure their Internet-facing accounts with strong credentials and minimize the number of systems facing the public web.
To enhance proactive defense from the possible attacks, you can download a set of Sigma rules released by the SOC Prime Content Team and our keen Threat Bounty developers.
Possible SAP Solution Manager Exploit Behavior [CVE-2020-6207] (via cmdline)
Suspicious SAP User Creation Operation [Possible Result of CVE-2020-6287 Exploitation] (via sap audit)
CVE-2020-6287 SAP NetWeaver – Authentication Bypass via LM Configuration Wizard
SAP NetWeaver Application Server (AS) Java CVE-2020-6287 Detection
Also, you can check the full list of detections related to the ongoing SAP attack directly from Threat Detection Marketplace. Stay tuned to our blog not to miss fresh rules on these nasty vulnerabilities.
Get a free subscription to Threat Detection Marketplace to reduce the meantime of cyber-attack detection with our 100K+ SOC content library. The content base enriches every day to identify the most alarming cyber threats at the earliest stages of the attack lifecycle. Have a desire to create your own curated content? Join our Threat Bounty community for a safer future!