Crooks are getting smarter about exploiting SAP software, study finds

SAP headquarters in Germany (Photo by Thomas Lohnes/Getty Images)

Share

Written by

Security researchers on Tuesday warned of the unrelenting interest that cybercriminals have in exploiting applications made by software giant SAP to defraud or disrupt big businesses that rely on SAP products.

A months-long study by Boston-based security firm Onapsis found that malicious hackers are growing more knowledgeable of SAP software and the potential impact that compromises could have on customers.

In one case, an unidentified attacker managed to chain together multiple software exploits to target an SAP “credential store,” which stores login details for an organization’s high-value SAP users. Access to the credential store could give a hacker the ability to exploit other applications that interact with those credentials.

SAP has 400,000 customers worldwide, including more than half of NATO members. A big swath of the world’ largest public companies use the software to manage their business processes. A critical bug in SAP software could be a ticket for a criminal to steal a paycheck or employees’ personally identifiable information.   

The roughly 300 exploitations of SAP vulnerabilities observed by Onapsis were all in a “honeypot,” or simulated network that was exposed to the internet and running outdated software. SAP said it didn’t know of any customer breaches related to the activity.

Still, the plethora of criminal groups exploiting the bugs has SAP executives publicly appealing for customers to update their software.

“We’re concerned about customers that have not applied the fixes for months or years to date,” said Tim McKnight, SAP’s chief security officer.

The Department of Homeland Security’s cybersecurity agency publicized the research and encouraged SAP customers to harden their networks.

“We observe attackers using multiple SAP threat vectors and vulnerabilities to get into the system,” Onapsis CEO Mariano Nunez said in a press call. “So we’re talking about a level of intent and capability that is higher than the spray-and-pray type of activity.”

Nunez has made a name for himself picking apart key corporate-management software made by SAP and Oracle. Onapsis last year revealed a critical bug in SAP software that the researchers said affected 40,0000 SAP customers.

-In this Story-

cybercrime, Cybersecurity and Infrastructure Security Agency (CISA), exploits, financial, financial data, Financial services, honeypots
TwitterFacebookLinkedInRedditGmail