Cybersecurity experts report that a hacker group is deploying a hacking campaign based on exploiting critical SAP applications that have not been upgraded to secure versions, putting the it infrastructure of public and private organizations at serious risk.
In a joint report, SAP and security firm Onapsis noted that these attacks have already been reported to the Cybersecurity and Infrastructure Security Agency (CISA), which has requested users of unsafe versions to update as soon as possible.
While SAP acknowledges that it is not aware of how many cases of active exploitation have been filed so far, the company notes that there are still thousands of vulnerable deployments that can be detected over the Internet, representing a severe security risk: “Attackers can even chain the exploitation of these vulnerabilities to maximize potential impact” , the report states.
According to the report, these are the flaws exploited in this campaign:
- CVE-2020-6287: Also identified as RECON, this is a pre-authentication error that would allow threat actors to take control of vulnerable SAP systems
- CVE-2020-6207: This is a pre-authentication error that would allow threat actors to take control of SAP systems without upgrading
- CVE-2018-2380: This vulnerability allows threat actors to perform privilege escalations and execute operating system commands after exploitation
- CVE-2018-2380: Threat actors could perform privilege escalation attacks to execute operating system commands
- CVE-2016-3976: A malicious hacker could exploit this flaw to escalate privileges and read arbitrary files through cross-sectional directory streams, leading to unauthorized disclosure of information
Specialists report that chained exploitation of these flaws would allow the theft of confidential information, financial fraud, ransomware infections and even the massive interruption of regular operations. The report concludes by recommending that vulnerable system administrators update their deployments, as this campaign remains active.
If you are not able to update as soon as possible, experts recommend implementing additional protective measures:
- Perform continuous engagement assessments on vulnerable SAP applications. The full list of applications is available on SAP’s official platforms, although experts recommend prioritizing Internet-facing SAP applications
- Immediately assess the risk of all applications in the SAP environment
- Evaluate SAP applications for high-privileged or misconfigured users
- If the evaluated applications are currently exposed and mitigations cannot be applied in a timely manner, compensation controls should be implemented and the system monitored for suspicious activity
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.