The US government is urging companies that use SAP to update and repair their application environments urgently, after a report released on Tuesday, 6, prepared by SAP itself and by Onapsis, a security company specializing in SAP solutions, inform about the mass exploitation of vulnerabilities.
The US Cyber Security and Infrastructure Agency (CISA) has reiterated the need for companies to prioritize reviewing the report. The agency says that affected customers could be exposed to data theft, financial fraud, ransomware and disruption of mission-critical operations and processes.
Onapsis claimed to have discovered more than 300 successful exploitation attempts in the course of its research alone, related to six known vulnerabilities and a critical configuration problem. Although two of these bugs were from last year, one dated 2018, two were fixed in 2016 and one was fixed in 2010.
The report also warned that attackers are quick to attack newly discovered vulnerabilities, turning exploits into weapons in less than 72 hours from the time patches are released and compromising new SAP applications in IaaS environments in less than three hours.
“The evidence clearly shows that cybercriminals are actively targeting and exploiting unprotected SAP applications with sophisticated and automated attacks. This research also validates that the threat actors have the means and the experience to identify and exploit unprotected SAP systems and are highly motivated to do so, ”noted the report.
“Onapsis researchers found recognition, initial access, persistence, privilege escalation, evasion and command and control of SAP systems, including financial applications, human capital management and supply chain”
In addition to vulnerability exploits, researchers also discovered the brute strength of high-privilege SAP user accounts and attempts to chain vulnerabilities to achieve escalation of privileges for access at the operating system level, which could give attackers access to more corporate systems broad.
SAP is used by more than 400,000 organizations worldwide, including 92% of Forbes Global 2000, 18 of the 20 largest vaccine manufacturers in the world and more than 1,000 government, NATO and military entities. With international news agencies.
See the original post at: https://www.cisoadvisor.com.br/emitido-novo-alerta-para-que-empresas-atualizem-ambientes-de-aplicativos-sap/?rand=59039
