Hackers are using these SAP vulnerabilities to sneak into your servers. Patch now

Cybersecurity experts report that a hacker group is deploying a hacking campaign based on exploiting critical SAP applications that have not been upgraded to secure versions, putting the it infrastructure of public and private organizations at serious risk.

In a joint report, SAP and security firm Onapsis noted that these attacks have already been reported to the Cybersecurity and Infrastructure Security Agency (CISA), which has requested users of unsafe versions to update as soon as possible.

While SAP acknowledges that it is not aware of how many cases of active exploitation have been filed so far, the company notes that there are still thousands of vulnerable deployments that can be detected over the Internet, representing a severe security risk: “Attackers can even chain the exploitation of these vulnerabilities to maximize potential impact” , the report states. 

According to the report, these are the flaws exploited in this campaign:

  • CVE-2020-6287: Also identified as RECON, this is a pre-authentication error that would allow threat actors to take control of vulnerable SAP systems
  • CVE-2020-6207: This is a pre-authentication error that would allow threat actors to take control of SAP systems without upgrading
  • CVE-2018-2380: This vulnerability allows threat actors to perform privilege escalations and execute operating system commands after exploitation
  • CVE-2018-2380: Threat actors could perform privilege escalation attacks to execute operating system commands
  • CVE-2016-3976: A malicious hacker could exploit this flaw to escalate privileges and read arbitrary files through cross-sectional directory streams, leading to unauthorized disclosure of information

Specialists report that chained exploitation of these flaws would allow the theft of confidential information, financial fraud, ransomware infections and even the massive interruption of regular operations. The report concludes by recommending that vulnerable system administrators update their deployments, as this campaign remains active.

If you are not able to update as soon as possible, experts recommend implementing additional protective measures:

  • Perform continuous engagement assessments on vulnerable SAP applications. The full list of applications is available on SAP’s official platforms, although experts recommend prioritizing Internet-facing SAP applications
  • Immediately assess the risk of all applications in the SAP environment
  • Evaluate SAP applications for high-privileged or misconfigured users
  • If the evaluated applications are currently exposed and mitigations cannot be applied in a timely manner, compensation controls should be implemented and the system monitored for suspicious activity

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.