SAP Exploits Used in Active Cyberattack Causing Widespread Infections

Exploits are being used against software-solutions giant SAP in an ongoing cyberattack, causing major disruption in the companies products and services, which could lead to unsecured applications. Hackers are carrying out a coordinated number of attacks on systems, according to a joint report by SAP and security researchers at Onapsis. Some of these attacks include the theft of sensitive data, financial fraud, disruption of mission-critical infrastructure, and the deployment of malware such as ransomware.

SAP is a German multinational corporation based in Baden-Württemberg that develops enterprise software to manage business operations and customer relations. The company is especially known for its enterprise resource planning (ERP) software, customer relationship management (CRM) software, and supply-chain management. SAP is the largest non-American software company by revenue as well as the world’s third-largest publicly-traded software company by revenue.

In their report, SAP noted that the attacks using the exploits could have far-reaching consequences.

“These are the applications that 92 percent of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy,” the alert noted. “With more than 400,000 organizations using SAP, 77 percent of the world’s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more.”

Government agencies should be especially wary of the exploits.

“SAP systems are a prominent attack vector for bad actors,” Kevin Dunne, president at Pathlock stated. “Most federal agencies are running on SAP, as it has become the industry standard for government entities. However, these SAP implementations are often on-premise, and managed by the government entities themselves due to security concerns. These systems then become increasingly vulnerable when updates and patches are not applied in a timely fashion, leaving them wide open for interested hackers.”

Exploits Used in the SAP Cyberattack

The hackers are brute-forcing high-privilege SAP user accounts, as well as exploiting known bugs, including CVE-2020-6287, CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976, and CVE-2010-5326.

Though their identity is not known, Onapsis has stated the hackers are “advanced threat actors,”, given how quickly they’ve been able to develop attacks based on the exploits.

There is “conclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications, through a varied set of techniques, tools and procedures and clear indications of sophisticated knowledge of mission-critical applications,” the alert reads. “The window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.”

Timeline from Onapsis

The most notable issues are as follows:

CVE-2020-6287 – This exploit is highly critical. It is remotely exploitable, and exploitable through HTTP(s) protocols. No privileges are required (pre-auth) to exploit the vulnerability. CVE-2020-6287 allows for creation of high-privileged application-level SAP users. Because of these characteristics, CISA released an alert on the same day the patch was released. Onapsis was able to record consistent active scanning as well as exploitation (333 instances, coming from 74 distinct IP addresses) for the RECON vulnerability since the public release of the patch and exploits. This activity has increased over time and continues today. Of all exploits, this is the most serious.

CVE-2020-6207 – This exploit affects SAP Solution Manager (SolMan), a central component of every SAP installation. Solution Manager is the equivalent of Microsoft Active Directory for Windows-based platforms: if an organization’s Solution Manager is compromised, an attacker would have complete administrative control over all interconnected SAP applications in the environment.

CVE-2018-2380 – If the SAP application is not properly patched, this vulnerability can be used to escalate privileges and execute OS Commands, eventually accessing the underlying database and moving laterally across other servers. Onapsis researchers identified 34 exploitation attempts sourced from 10 distinct IPs with the intent to execute OS commands in the underlying operating system.

CVE-2016-9563 – This is an exploit affecting the BC-BMT-BPM-DSK component of SAP NetWeaver AS JAVA 7.5 exploitable by remote (low privileged) authenticated attackers. A successful exploit of this vulnerability could result in Denial-of-Service (DoS) type attacks through XML Entity expansion or similar methodology, resulting in loss of availability. Furthermore, this exploit could allow an attacker to gain unauthorized access, resulting in a loss of confidentiality.

CVE-2016-3976 – This vulnerability allows remote attackers to read arbitrary files via directory traversal sequences, resulting in unauthorized disclosure of information. This vulnerability may also allow for arbitrary access to OS resources potentially leading to a privilege escalation situation.

CVE-2010-5326 – This is a critical vulnerability that affected many unsecured SAP applications. By leveraging this vulnerability, threat actors can execute OS commands without authentication and access the application as well as the application’s database, effectively gaining full and unaudited control of the SAP business information and processes.

After initial access, Onapsis observed threat actors using the exploits to establish persistence, for privilege escalation, evasion and, ultimately, complete control of SAP systems, including financial, human capital management and supply-chain applications.

“Additionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications,” according to the analysis.

The exploits in their assigned groups

According to the report, on a number of occasions, threat actors were observed combining exploits from Group 1 and Group 2 to achieve access to the SAP application and to gain access to the operating system. Additionally, exploits in Group 4 were seen in combination with an initial access that could be obtained through exploits in Group 1 (Application Level access) or Group 3 (OS Level access).

Exploit Chaining Analysis from Onapsis

Interestingly, the cyberattackers in some cases are patching the exploited vulnerabilities after they’ve gained access to a victim’s environment, Onapsis said.

“This action illustrates the threat actors’ advanced domain knowledge of SAP applications, access to the manufacturer’s patches and their ability to reconfigure these systems,” according to the firm. “This technique is often used by threat actors to deploy backdoors on seemingly patched systems to maintain persistence or to evade detection.”


Against vulnerabilities like the SAP exploits, the first action in securing systems should always be to patch them. Unpatched systems are the root cause of many cyberattacks, especially against businesses.

Beyond patching, business owners should have proactive attitude with regards to cybersecurity, which includes using the best tools for the job. One of the these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *