Ebene Magazine – Unpatched SAP applications are a targeted basis for hackers


According to a report by SAP and cyber threat research firm Onapsis, hackers target unpatched vulnerabilities in SAP applications.

The report described more than 300 successful exploits of critical vulnerabilities, which SAP had previously carried out 1,500 Attack attempts between June 2020 and March 2021 were resolved.

It was also highlighted that the window of opportunity for defenders to act was significantly shorter than previously assumed. « Examples of SAP vulnerabilities were fixed in less than 72 hours » after patches were released and « new unprotected SAP applications deployed in cloud environments (IaaS) were discovered and compromised in less than three hours ».

The report found that 18 of the 20 largest vaccine manufacturers in the world run their production on SAP, 19 out of 28 NATO countries run SAP and 77% of global transaction revenues come from a SAP system.

A spokesman for Onapsis said, this is the first time that SAP has issued an official press release about cyber threats for its customers. Onapsis is a security and compliance monitoring software company and security research company.

The press release states that both companies have “worked closely with the US Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Agency for Cybersecurity (BSI) and advised the organizations to take immediate action to make long-term applications. available SAP patches and secure configurations as well as compromise assessments in critical environments. « 

The two stated that they were » unaware of any known customer breaches directly related to this investigation « . The report also did not describe any new weaknesses in the SAP cloud software as a service or in SAP’s own corporate IT infrastructure. However, both companies noted that many companies still had not applied relevant remedial measures that had long been provided by SAP.

« We are releasing the research that Onapsis has shared with SAP to help our customers make sure that their business-critical applications are protected, « said Tim McKnight, chief security officer at SAP. « This includes applying available patches, thoroughly reviewing the security configuration of your SAP environments, and proactively evaluating them for signs of compromise. » Mariano Nunez, CEO and co-founder of Onapsis, said the critical findings described in his report Attacks on vulnerabilities for which patches and secure configuration policies have been available for months or even years.

“Unfortunately, too many organizations still have a large governance gap in terms of cybersecurity and compliance with their mission-critical applications so that external and internal threat actors can access their most sensitive and regulated information and have complete control over these processes, ”he said. « Organizations that have not prioritized rapid mitigation of these known risks should consider their systems compromised and take immediate and appropriate action. » In the preface to the report, Nunez said, « The evidence gathered in this report clearly shows that threat actors Have the motivation, resources, and expertise to identify and use unprotected business-critical SAP applications, and do so actively. They directly target these applications including, but not limited to, Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Human Capital Management (HCM), Product Lifecycle Management (PLM), Customer Relationship Management (CRM), and others. « 

Business applications have been known for some time as the soft underbelly of many corporate organizations that goes beyond perimeter security. In the foreword, Nunez also said: « Cloud- and web-enabled business-critical applications that help fuel new processes and business opportunities also increase the attack surface that cyber actors are now targeting. »

The press release stated that none of the There were security gaps in cloud solutions managed by SAP.

The DHS-CISA has also issued a warning about the potential targeting of critical SAP applications.

According to the survey of almost 500 professionals in the European IT sector the jury isn’t sure which companies across the continent will be spending on in 2021. We examine which expenditures are easier to justify as budgets for IT companies rise or fall and which project rankings 2021 are for most in the new year. Download this PDF infographic to find out what the results showed.

By submitting my email address, I confirm that I have read and accept the terms of use and consent form.

Allan Tate , Executive Chairman of the MIT Sloan CIO Symposium, explains how the pandemic has brought CIOs to the fore as a company …

In this episode of Today I Learned (about data) we discuss the status of the quantum computer, its current challenges and when …

In his new book « Sooner, Safer, Happier », Jonathan Smart looks at the ways companies can achieve better results …

Too often companies focus solely on external security risks . Infosec expert Nabil Hannan explains what CISOs can do …

This week’s Risk & Repeat episode takes a look back at the Microsoft Exchange Server attacks as well as the questions and puzzles …

That Department of Homeland Security outlines federal plans to improve public and private cybersecurity, but analysts advise … AWS, Verizon’s mobile edge computing offering, is a managed service that provides private 5G connectivity to AWS Outposts combined.

In the wake of COVID-19, companies have become even more distributed and virtual. Cloud-based network monitoring is good …

VPNs are still an important part of many remote access strategies for businesses. Network teams monitoring VPN traffic should …

Intel launches third generation Xeon Scalable processors that increase security and accelerate overall data center utilization by 46% …

IBM has released new versions of its application modernization tools that enable the Z-series of mainframe applications in …

Chip vendors Nvidia and AMD each offer GPUs that are optimized for large data centers. Compare the two to decide which will work best for your …

Upsolver CEO explains why the vendor is raising new money to drive Cloud Data Lake go-to-market efforts, and …

A data warehouse environment consists of many tools and systems. Read on to learn the history of the modern data warehouse and …

If organizations are considering using vaccination dates to reopen offices, IT teams should start planning now.

All Rights reserved,
Copyright 2000-2021, TechTarget
Privacy Policy

Cookie settings

Do not sell my personal information

Ref: https://www.computerweekly.com




Laisser un commentaire, votre avis compte!


Laisser un commentaire, votre avis compte!

Laisser un commentaire, votre avis compte!