New Report Reveals Evidence of Increased Cybercriminal Interest in ERP Applications

Boston, MA–April 17, 2024–New research from threat data and intelligence leader Flashpoint and ERP cybersecurity and compliance leader Onapsis reveals evidence that SAP business-critical applications are increasingly top of mind and valuable for cybercriminals. The report shows a significant rise in threat actor groups targeting SAP vulnerabilities, and aids defenders with actionable intelligence to ensure their mission-critical SAP applications are protected from these threats.

2023 was a critical inflection point for the SAP application threat landscape with new highs in threat activity and increased interest from prolific and well-established threat actor groups and state-sponsored cyberespionage groups. All SAP vulnerabilities observed within this report were patched by SAP several years ago, with SAP having made the relevant SAP Security Notes promptly available for customers. This indicates that threat actors continue to target and exploit organizations with weak cybersecurity governance for SAP applications, mostly taking advantage of known, unpatched SAP vulnerabilities and misconfigurations. This is of special relevance as customers migrate SAP applications to the cloud, further increasing their exposure to a growing number of threat actors.

This report from Onapsis Research Labs in collaboration with Flashpoint highlights the evolution of this threat landscape for SAP applications over the past four years and how the growing maturity of this cybercriminal market presents stark challenges to defenders of organizations globally. This collaborative research report reveals:

Rising Threats Against SAP Applications

• The SAP threat landscape is seeing well-established, highly sophisticated  threat actors and state-sponsored groups that are more aggressively targeting SAP applications for financial gain, espionage and sabotage.

Increased Evidence of Ransomware Attacks on SAP

• Since 2021, research demonstrates a 400% increase in ransomware incidents that involved compromising SAP systems and data at victim’s organizations.
• Unpatched SAP vulnerabilities are being exploited and used in ransomware campaigns, as highlighted by Onapsis Research as well as CISA.
• Recent evolution of ransomware and malware capabilities has occurred to enhance awareness of SAP processes and services, which demonstrates a renewed focus on successful ransomware execution and data extraction across SAP technology.

Increased Discussion and Interest in SAP Exploitation

• Conversations on SAP vulnerabilities and exploits have increased 490% across Open Deep and Dark Web from 2021 to 2023, including:
  • Details on how to exploit SAP vulnerabilities
  • Guidance for executing certain SAP exploits against victims
  • Actors discussing SAP compromises.
• There is high interest around SAP vulnerabilities, demonstrated by the conversations in cybercriminal forums, as well as its active exploitation.

Significant Growth in Threat Community Engagement 

• Active discussions in cybercriminal forums about SAP-specific Cloud and Web services have increased 220% from 2021 to 2023
  • Exposing critical SAP applications to a broader audience of malicious threat actors.
  • Enabling attackers to find SAP Applications over the Internet.

Proactive Measures and Warnings

• SAP and Onapsis have been proactively warning organizations of the increased risk of  malicious activity and ransomware threats targeting SAP applications for years. It is imperative for organizations to act to protect themselves.

                                         
The vast majority of large organizations utilize ERP applications from leading vendors like SAP and Oracle, incorporating solutions such as SAP Business Suite, SAP S/4HANA, and Oracle E-Business Suite/Financials. These applications are crucial for supporting a wide array of business processes, including payroll, treasury, inventory management, manufacturing, financial planning, sales, logistics, and more. They are also pivotal in managing and hosting a vast range of sensitive data. This encompasses financial results, manufacturing formulas, pricing strategies, critical intellectual property, and sensitive information like credit card details and personally identifiable information (PII) of employees, customers, and suppliers.

Some companies are falling behind when it comes to ERP cybersecurity due to the lack of information about the threat actors in what was considered by many information security teams to be a complex and obscure domain.

The growing focus on ERP applications by cybercriminals highlighted in this report reflects a critical evolution in the threat landscape. It’s essential for organizations to integrate comprehensive threat intelligence into their security protocols to effectively counter these advanced threats,” said Christian Rencken, Senior Strategic Advisor at Flashpoint.

“This collaboration with Flashpoint provides a depth of threat intelligence that is critical for both security and SAP teams to understand,” said Juan Pablo (JP) Perez-Etchegoyen, CTO at Onapsis. “By showing how these applications are being targeted and the increasing frequency, we hope to help CIOs, CISOs and their teams manage the risk of wide-scale attacks.”

Download the report and hear from JP Perez-Etchegoyen and Christian Rencken, Senior Strategic Advisor at Flashpoint, as they detail this research live on April 24.

ABOUT FLASHPOINT

Flashpoint is the pioneering leader in security threat data and intelligence. We empower commercial enterprises and government agencies to decisively confront complex security challenges, reduce risk, and improve operational resilience amid fast-evolving threats. Through the Flashpoint Ignite platform, we deliver unparalleled depth, breadth and speed of data from highly relevant sources, enriched by human insights. Our solutions span cyber threat intelligence, vulnerability intelligence, geopolitical risk, physical security, fraud and brand protection. The result: our customers safeguard critical assets, avoid financial loss, and protect lives. Discover more at flashpoint.io.

ABOUT ONAPSIS

Onapsis protects the business applications that run the global economy. The Onapsis Platform delivers vulnerability management, change assurance, and continuous compliance for business applications from leading vendors such as SAP, Oracle, and others. The Onapsis Platform is powered by the Onapsis Research Labs, the team responsible for the discovery and mitigation of more than 1,000 zero-day vulnerabilities in business applications.