Last week, Onapsis and Flashpoint released a report describing the evolution of the Treat Landscape around SAP Applications, including the intersection of SAP and Ransomware. Some of its highlights include a 490% increase of the mentions to SAP exploits or vulnerabilities across the open deep and dark web from 2020 to 2023, or a whopping 400% increase in the price or an Remote Command Execution exploit for SAP Applications from August of 2020 to April of 2024.

These Threat Intelligence indicates that Threat Actors of all types understand how to target SAP technology, by exploiting SAP CVE(s), exfiltrating financial reports from SAP Applications, performing financial fraud over extended periods of time, or even through the execution of Ransomware, which also targets SAP Applications and data. Some examples of these Threat Actors are APT10, a state sponsored actor, FIN7/FIN13, which are financially motivated Threat Actors or Cobalt Spider, a cybercriminal group. 

This is an effort moving in the direction of helping SAP Customers tackle cybersecurity threats such as active cyberattacks or ransomware, as done in the past jointly with SAP:

• Taking Ransomware Threats Seriously | SAP & Onapsis | SAP News 
• SAP and Onapsis Help Protect Against Cyber Threats | SAP News 

So as SAP Customers, what should we do? 

In short, Vulnerability Management, Threat Detection and Threat Intelligence should integrate and incorporate SAP Applications. 

•  Vulnerabilities and misconfigurations affecting SAP are used by Threat Actors to target SAP Applications, so SAP Customers should have proper vulnerability management programs addressing vulnerabilities and issues in a timely way.  There are specific vulnerabilities and risks that were identified as part of this research so those individual CVE(s) and misconfigurations are among the ones we should prioritize. Having said that, SAP releases patches periodically (second Tuesday of every month) and we should be able to process them and react accordingly. As an example, these are the patches released by SAP on April 2024: SAP Security Patch Day – April 2024   
• Threat Intelligence tailored to SAP Applications should be consumed and integrated into Security Operation Centers, giving defenders the right signals to protect these applications before the bad guys act. Besides this recently released report, in the past, CISA has released a number of alerts, warning SAP customers about a number of different threats: 

  • Malicious Cyber Activity Targeting Critical SAP Applications | CISA 

  • Critical Vulnerability in SAP NetWeaver AS Java | CISA 

  • New Exploits for Unsecure SAP Systems | CISA

  • Exploitation of SAP Business Applications | CISA

• Feeds of logs and audit trails should be integrated into existing continuous monitoring programs to detect when SAP vulnerabilities are being exploited, SAP users are compromised or any other type of threat is affecting SAP Applications. These types of signals are extremely important to understand what happens through an SAP Application and to proactively detect potential threats.

If you are interested on reading more of this research, the report is available for download at both Onapsis and Flashpoint sites (SAP community policies do not allow to add the link directly on this blog).