Demystify ransomware in the context of SAP

Ransomware Attack

Key Takeaways

  • Understand how ransomware impacts SAP customers.
  • Learn why traditional cybersecurity is not enough.
  • Existing SAP vulnerabilities may be used as attack vectors.

“Ransomware attack”, it’s probably the most commonly used despairing words of 2020 after “you’re on mute’. The focus of late however appears to be very much targeted at striking at the core of a business’s mission-critical systems, key applications that will cause substantial damage to the production systems of global enterprises. Take for example meat processor JBS being extorted, and REvil targeting the COOP indirectly. For JBS, the impact of loss of production is catastrophic as it processes perishable goods.

Attack scenario

To demystify ransomware in the context of SAP we need to look at the attack scenario. While traditional ransomware hits the victim on the operating system level, the SAP technology stack is only impacted if the server platform was successfully attacked. Luckily for SAP installations, the majority of today’s ransomware variants target Windows operation systems, while SAP systems prefer to run on Unix. So if SAP is hardly impacted, then why bother?

Entrance door SAP; an attacker may exploit the SAP application layer to introduce malicious files and trigger their execution to start spreading ransomware within the customer’s network. Network traffic sent from SAP to clients is typically not blocked or inspected, leading to an increased likelihood of a successful attack.

Traditional cyber-security is not enough

Unfortunately, many organizations don’t realize that network security is penetrable and it’s imperative to constantly monitor your SAP applications in real-time to secure them. It requires a more holistic approach to securing your business-critical applications, including things that we would classify as “good security hygiene.” In our recent online seminar “How to implement and enforce a Security baseline for SAP” we demonstrated that threat actors are very aware of how to exploit unprotected mission-critical applications, and are, in fact, actively doing so.  

For example, in a recent high-profile attack, the organization was subjected to a ransomware attack on their ERP applications.

Despite implementing good security hygiene such as regular back-ups, their operations were brought to a stand-still. This lapse in productivity can last for days and the damage to reputation and costs are substantial. Attackers simply bypassed the endpoint detection and response (EDR) software by accessing the data through the application. EDR is a crucial component, but the application level still remains a blind spot, and a vulnerability. The attackers, in this example, used that application layer, which was not being directly monitored, in order to compromise the business-critical assets. 

Of course, traditional cyber-security is in place at many companies, but when the attack is a Trojan Horse it’s hard to detect. With SAP systems this issue becomes even more critical with access to a company’s mission-critical production systems the impact would be devastating.  

So, what is needed to protect your organization’s business-critical applications from the inevitability of an attempt at ransomware? That is exactly the question we will address in this blog post as an SAP Certified Application Development Partner with our focus on securing the SAP technology platform. Traditional security tends to focus on endpoint, network, and back-ups. All of which are essential components in security, but as is clearly evident, are not adequate in preventing successful attacks.  

SAP is a challenging environment that requires constant patching and often contains custom code for which there are no known patches. Attackers are all too aware of this and evidence shows that known vulnerabilities are being targeted because these systems are business-critical and are inter-connected with substantial complexity. 

Vulnerabilities such as RECON, and PayDay allow threat actors to take full control of applications through the application layer itself, and, once in, go down to the operating system level. In addition to essential vulnerability management and efficient patching, the solution to this challenge is to start by having robust accurate real-time threat monitoring powered by advanced technology such as anomaly detection so that no matter how much these threat actors change their attack vectors, the anomaly is detected and reported and triaged in real-time. Gartner fully endorses this strategy, that organizations should “implement a risk-based vulnerability management process that includes threat intelligence.  Ransomware often relies on unpatched systems to allow lateral movement. This should be a continuous process. The risk associated with vulnerabilities changes as these vulnerabilities are exploited by attackers.”

This will stop a successful attack:  

  1. Real-time threat monitoring so that attacks can be detected and remediated before harm is done.

  2. Actionable intelligence. Having results that produce false positives is frustrating and time-wasting when time is a vital ally.

  3. Effective Hardening of Business-Critical Applications and guidance on how and where to patch.

  4. A unified Platform Approach where custom-code and applications are scanned simultaneously.

  5. Integration with a Security Information Event Management (SIEM) so that the wider security team outside of SAP can have instant access to hundreds of use-cases.

  6. Corporate commitment to compliance and governance in securing mission-critical applications and code. 

SAP delivers security updates through support packages, and, publishes security notes with the latest security corrections and recommendations. SecurityBridge provides patching advisories and guidance through what can be an overly complicated challenge to understand how and where to patch.  

Summary

Ransomware is a different animal to most attacks in that it is very lucrative and increasingly easy for nefarious actors to be successful with impunity. Add to this that the opportunities for attacks have vastly increased with remote working due to Covid, and the complexities of custom code, cloud deployments, and a strain on InfoSec resources. While these factors might make ransomware attacks more likely, it does not necessarily mean they will lead to a successful attack. With SecurityBridge, you can always be one step ahead of the attackers, being alerted in real-time as to what the level of threat actually is, and being able to remediate where appropriate before the attacker has time to execute the threat. 

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email

Automate patch management processes with SecurityBridge™

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

DSAG Technology Days – Review

Finally we could attend a physical event again. Here’s our review on the DSAG Technology Days 2022: What is the new normal in IT? Personal highlights from the event and a short summary of our presentation “NextGen Cybersecurity for SAP.”

2nd CROSSTHEBRIDGE
Cycling event

Join our cycling community on September 9th in Brabant (NL), get a SecurityBridge cycling shirt and enjoy a wonderful day.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.