New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Exposed and Unpatched SAP Applications Are Currently Being Targeted

More than 400,000 organizations around the world currently use SAP’s customer relationship management (CRM), product lifecycle management (PLM) and supply chain management (SCM) applications. SAP and cloud security company Onapsis along with the Cybersecurity and Infrastructure Security Agency (CISA) and Germany’s Federal Office for Information Security (BSI) are currently warning customers of ongoing attacks while urging administrators to apply patches.

“SAP promptly patched all of the critical vulnerabilities observed being exploited, and have made them available to customers for months, and years in some cases. Unfortunately, SAP and Onapsis continue to observe many organizations that have still not applied the relevant mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.”

Onapsis began recording exploitation attempts in mid-2020. Since then, they have found “300 successful exploitations through 1,500 attack attempts from nearly 20 countries between June 2020 and March 2021.” Multiple vulnerabilities and insecure configurations are being taken advantage of in order to compromise systems. In some cases, multiple vulnerabilities were being chained together. In an alert issued by CISA yesterday, affected organizations could experience:

  • theft of sensitive data
  • financial fraud
  • disruption of mission-critical business processes
  • ransomware
  • halt of all operations

Analyst Notes

Some of the vulnerabilities being exploited date all the way back to 2010. Binary Defense highly recommends following the advice to patch outdated systems immediately. The reports also state that many of the instances occurring are from instances that are directly exposed to the internet. Organizations should protect business critical applications by placing them behind a VPN to prevent unauthorized access outside of the company network. Even if SAP affected applications are not directly exposed, they should still be patched as soon as possible. Unpatched systems, even when only accessible via the company network, may still pose a risk in the event of a compromise.