SAP customers who don’t apply the company’s security patches are at risk of hackers gaining full control of unsecured SAP applications and stealing sensitive information, according to alerts issued by the software company and the federal governments of the US and Germany.
The alert issued by Germany-based SAP and Boston-based cybersecurity company Onapsis on Tuesday urges SAP software users to apply security patches, review security configurations of their SAP applications, investigate at-risk environments and perform a compromise assessment.
SAP issued the alert about what it called “active threats” because “many” organizations have still not applied relevant mitigation despite the fact that SAP patches for the vulnerabilities have been available for months, and on some occasions years.
“While SAP issues monthly patches and provides best practices for configuring systems, it is ultimately the responsibility of the customer or their service provider to apply mitigations in a timely manner and properly configure systems to keep critical business processes and data protected and in compliance,” according to the alert.
Onapsis also has a free rapid assessment for SAP applications and a three-month free subscription of its platform for cybersecurity and compliance app on the SAP store, according to the alert.
The report has evidence of 300-plus automated exploitation attempts from mid-2020 to Tuesday using seven SAP-specific attack vectors and 100-plus hand-on-keyboard sessions from attackers. SAP vulnerabilities have been exploited in less than 72 hours of a patch release. SAP applications in cloud environments have been compromised in less than three hours.
The more sophisticated hackers have chained together multiple vulnerabilities to target specific SAP applications to maximize damage.
About 90 percent of the Forbes Global 2000 have applications standardized on SAP, and 77 percent of the world’s transactional revenue touches an SAP system, according to the alert.
Alerts were also issued by the U. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, and Germany’s Federal Office for Information Security.