Inside a C2 Attack: Unraveling SAP System Breaches
Meet the Authors
As SAP applications store valuable data, they are becoming increasingly attractive targets for threat actors, who exploit vulnerabilities for profit. It is crucial for companies to strengthen cybersecurity measures for SAP to prevent future attacks. A recent research by Onapsis and Flashpoint reveals that discussions about SAP vulnerabilities and exploits have surged significantly, indicating growing interest in SAP-related cyberattacks. Cybercriminal forums and hacking sites are increasingly hosting conversations about SAP exploits, with users either offering or seeking vulnerabilities that affect SAP applications. These discussions, found across various platforms like XSS.in, Exploit.in, GuardianeLinks, and Torum, Reveal a consistent interest among cybercriminals in targeting SAP systems.
Onapsis Research Labs has recently identified and studied another malicious action observed through their global threat intelligence cloud. An SAP system was breached and transformed into a command-and-control bot after a malicious file was injected through an SAP vulnerability. This compromised system then launched a distributed denial-of-service (DDoS) attack that involved Cloudflare. The attackers used the SAP system to try launching a Denial of Service (DoS) attack on other systems. They initially accessed the system through a virtual private server (VPS) to hide their identity and used automation for discovery and initial access. After compromising the system, the attackers directly interacted with it, deploying malware to attempt a remote DoS attack.
This incident shows the urgent need for a thorough and proactive approach to protect our digital assets and maintain the integrity of critical systems. To strengthen security and prevent remote code execution attacks related to SAP vulnerabilities, Onapsis prescribes key preventive measures given below:
- Regular Patching and Updates: Ensure that SAP systems are consistently updated with the latest security patches. Addressing known vulnerabilities quickly with available fixes is crucial for maintaining security.
- Role and Permission Management: Restrict access to sensitive SAP functions and features to only those users who need it. Tight control over roles and permissions helps reduce the risk of attacks.
- Input Filtering and Validation: Apply stringent input filtering and validation in SAP applications to block potential malicious code injections.
- Continuous Monitoring and Detection: Implement real-time monitoring to detect suspicious activities. Stay vigilant for attempts to exploit vulnerabilities and be prepared to respond swiftly.
- Cybersecurity Training: Educate employees on cybersecurity best practices and how to recognize potential threats to strengthen overall security awareness.
Securing SAP applications is crucial, and organizations should treat SAP security with the same importance as other parts of their cybersecurity. This means including SAP systems in existing security programs, regularly checking for and fixing vulnerabilities, and maintaining visibility across all SAP environments, whether on-premise or in the cloud. It is vital to address vulnerabilities, manage system settings, and control user access to protect against potential threats.
