Skip to content
Ransomware Attack

Demystify ransomware in the context of SAP

08f4ab4c66997156c778169c9fc04205?s=96&d=mm&r=g
Christoph Nagy
Managing director
July 14, 2021
5 min read
Chapters

Share Article

Key Takeaways

  • Understand how ransomware impacts SAP customers.
  • Learn why traditional cybersecurity is not enough.
  • Existing SAP vulnerabilities may be used as attack vectors.

“Ransomware attack”, it’s probably the most commonly used despairing words of 2020 after “you’re on mute’. The focus of late however appears to be very much targeted at striking at the core of a business’s mission-critical systems, key applications that will cause substantial damage to the production systems of global enterprises. Take for example meat processor JBS being extorted, and REvil targeting the COOP indirectly. For JBS, the impact of loss of production is catastrophic as it processes perishable goods.

Attack scenario

To demystify ransomware in the context of SAP we need to look at the attack scenario. While traditional ransomware hits the victim on the operating system level, the SAP technology stack is only impacted if the server platform was successfully attacked. Luckily for SAP installations, the majority of today’s ransomware variants target Windows operation systems, while SAP systems prefer to run on Unix. So if SAP is hardly impacted, then why bother?

Entrance door SAP; an attacker may exploit the SAP application layer to introduce malicious files and trigger their execution to start spreading ransomware within the customer’s network. Network traffic sent from SAP to clients is typically not blocked or inspected, leading to an increased likelihood of a successful attack.

Traditional cyber-security is not enough

Unfortunately, many organizations don’t realize that network security is penetrable and it’s imperative to constantly monitor your SAP applications in real-time to secure them. It requires a more holistic approach to securing your business-critical applications, including things that we would classify as “good security hygiene.” In our recent online seminar “How to implement and enforce a Security baseline for SAP” we demonstrated that threat actors are very aware of how to exploit unprotected mission-critical applications, and are, in fact, actively doing so.  

For example, in a recent high-profile attack, the organization was subjected to a ransomware attack on their ERP applications.

Despite implementing good security hygiene such as regular back-ups, their operations were brought to a stand-still. This lapse in productivity can last for days and the damage to reputation and costs are substantial. Attackers simply bypassed the endpoint detection and response (EDR) software by accessing the data through the application. EDR is a crucial component, but the application level still remains a blind spot, and a vulnerability. The attackers, in this example, used that application layer, which was not being directly monitored, in order to compromise the business-critical assets. 

Of course, traditional cyber-security is in place at many companies, but when the attack is a Trojan Horse it’s hard to detect. With SAP systems this issue becomes even more critical with access to a company’s mission-critical production systems the impact would be devastating.  

So, what is needed to protect your organization’s business-critical applications from the inevitability of an attempt at ransomware? That is exactly the question we will address in this blog post as an SAP Certified Application Development Partner with our focus on securing the SAP technology platform. Traditional security tends to focus on endpoint, network, and back-ups. All of which are essential components in security, but as is clearly evident, are not adequate in preventing successful attacks.  

SAP is a challenging environment that requires constant patching and often contains custom code for which there are no known patches. Attackers are all too aware of this and evidence shows that known vulnerabilities are being targeted because these systems are business-critical and are inter-connected with substantial complexity. 

Vulnerabilities such as RECON, and PayDay allow threat actors to take full control of applications through the application layer itself, and, once in, go down to the operating system level. In addition to essential vulnerability management and efficient patching, the solution to this challenge is to start by having robust accurate real-time threat monitoring powered by advanced technology such as anomaly detection so that no matter how much these threat actors change their attack vectors, the anomaly is detected and reported and triaged in real-time. Gartner fully endorses this strategy, that organizations should “implement a risk-based vulnerability management process that includes threat intelligence.  Ransomware often relies on unpatched systems to allow lateral movement. This should be a continuous process. The risk associated with vulnerabilities changes as these vulnerabilities are exploited by attackers.”

This will stop a successful attack:  

  1. Real-time threat monitoring so that attacks can be detected and remediated before harm is done.

     

  2. Actionable intelligence. Having results that produce false positives is frustrating and time-wasting when time is a vital ally.

     

  3. Effective Hardening of Business-Critical Applications and guidance on how and where to patch.

     

  4. A unified Platform Approach where custom-code and applications are scanned simultaneously.

     

  5. Integration with a Security Information Event Management (SIEM) so that the wider security team outside of SAP can have instant access to hundreds of use-cases.

     

  6. Corporate commitment to compliance and governance in securing mission-critical applications and code. 

SAP delivers security updates through support packages, and, publishes security notes with the latest security corrections and recommendations. SecurityBridge provides patching advisories and guidance through what can be an overly complicated challenge to understand how and where to patch.  

Summary

Ransomware is a different animal to most attacks in that it is very lucrative and increasingly easy for nefarious actors to be successful with impunity. Add to this that the opportunities for attacks have vastly increased with remote working due to Covid, and the complexities of custom code, cloud deployments, and a strain on InfoSec resources. While these factors might make ransomware attacks more likely, it does not necessarily mean they will lead to a successful attack. With SecurityBridge, you can always be one step ahead of the attackers, being alerted in real-time as to what the level of threat actually is, and being able to remediate where appropriate before the attacker has time to execute the threat.