on 08-Apr-2021 08:46
According to a new research by the cybersecurity firm Onapsis and SAP, they have detected 1,500 attempts to exploit mission critical SAP systems with over 300 successful exploitation between mid-2020 and March 2021.
The research states the “the evidence captured in this report clearly shows that threat actors have the motivation, means and expertise to identify and exploit unprotected mission-critical SAP applications, and are actively doing so. They are directly targeting these applications, including, but not limited to enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM) and others”.
In addition, the research found that the attackers use sophisticated attack vectors chaining several vulnerabilities to compromise the system.
The research found that there are six exploits used by the attackers:
Figure 1: Exploits used by attackers as illustrated in Onapsis’s report
Advanced WAF customers under any supported version are already protected against those vulnerabilities as exploitation attempts will be detected by a dedicated signatures. The signatures could be found under the " Path Traversal”, “Authentication/Authorization Attacks”, “Other Application Attacks” and " Server Side Code Injection" signature sets.
Figure 2: CVE-2010-5326 Exploit attempt blocked by signature id 200013037
Figure 3: CVE-2016-3976 Exploit attempt blocked by signature id 200007040
Figure 4: CVE-2016-9563 Exploit attempt blocked by signature id 200018030
Figure 5: CVE-2018-2380 Exploit attempt blocked by signature id 200007039
Figure 6: CVE-2020-6207 Exploit attempt blocked by signature id 200104675
Figure 7: CVE-2020-6207 Exploit attempt blocked by signature id 200104676
Figure 8: CVE-2020-6287 Exploit attempt blocked by signature id 200013021
Advanced WAF customers with Threat Campaign license could detect and block campaigns targeting those vulnerabilities with the following Threat Campaigns: