Threat actors are targeting mission-critical SAP applications unsecured against already patched vulnerabilities, exposing the networks of organizations to attacks.

Over 400,000 orgs worldwide use SAP's enterprise apps for supply chain management (SCM), enterprise resource planning (ERP), product lifecycle management (PLM), and customer relationship management (CRM).

On April 6, cloud security firm Onapsis and SAP released a new threat intelligence report to help SAP customers protect from active cyber threats.

The threat intelligence collected and published by Onapsis in coordination with SAP shows that SAP customers still have unsecured applications in their environments visible via the Internet, and exposing the organizations to infiltration attempts via attack vectors that should've been patched years ago.

Since mid-2020, when Onapsis started recording exploitation attempts targeting unpatched SAP apps, the firm's researchers found "300 successful exploitations through 1,500 attack attempts from nearly 20 countries between June 2020 and March 2021."

The threat actors have exploited multiple security vulnerabilities and insecure configurations in SAP applications in attempts to breach the systems.

The vulnerabilities and attack methods used throughout this ongoing malicious activity highlight in the threat report published by Onapsis are:

• Brute-force attacks targeting unsecured high-privilege SAP user account settings

• CVE-2020-6287 (aka RECON): a remotely exploitable vulnerability that enables unauthenticated attackers to take over vulnerable SAP systems.

• CVE-2020-6207: maximum severity vulnerability that could also lead to the takeover of unpatched SAP systems

• CVE-2018-2380: enables threat actors to escalate privileges and execute OS commands after exploitation, allowing them to gain access to the database and to move laterally across the network

• CVE-2016-9563: attackers can exploit this bug to trigger denial-of-service (DoS) states and gain unauthorized access to sensitive information

• CVE-2016-3976: remote attackers can exploit it to escalate privileges and to read arbitrary files, leading to disclosure of information

• CVE-2010-5326: allows unauthenticated threat actors to execute OS commands and access the SAP app and the connected database.

SAP and Onapsis strongly advise organizations to take immediate action including swift application of the relevant SAP security patches and a thorough review of security configurations of their SAP landscape.

Source: bleepingcomputer.com