Skip to content

Demystify ransomware in the context of SAP

Ransomware Attack

Key Takeaways

  • Understand how ransomware impacts SAP customers.
  • Learn why traditional cybersecurity is not enough.
  • Existing SAP vulnerabilities may be used as attack vectors.

“Ransomware attack”, it’s probably the most commonly used despairing words of 2020 after “you’re on mute’. The focus of late however appears to be very much targeted at striking at the core of a business’s mission-critical systems, key applications that will cause substantial damage to the production systems of global enterprises. Take for example meat processor JBS being extorted, and REvil targeting the COOP indirectly. For JBS, the impact of loss of production is catastrophic as it processes perishable goods.

Attack scenario

To demystify ransomware in the context of SAP we need to look at the attack scenario. While traditional ransomware hits the victim on the operating system level, the SAP technology stack is only impacted if the server platform was successfully attacked. Luckily for SAP installations, the majority of today’s ransomware variants target Windows operation systems, while SAP systems prefer to run on Unix. So if SAP is hardly impacted, then why bother?

Entrance door SAP; an attacker may exploit the SAP application layer to introduce malicious files and trigger their execution to start spreading ransomware within the customer’s network. Network traffic sent from SAP to clients is typically not blocked or inspected, leading to an increased likelihood of a successful attack.

Traditional cyber-security is not enough

Unfortunately, many organizations don’t realize that network security is penetrable and it’s imperative to constantly monitor your SAP applications in real-time to secure them. It requires a more holistic approach to securing your business-critical applications, including things that we would classify as “good security hygiene.” In our recent online seminar “How to implement and enforce a Security baseline for SAP” we demonstrated that threat actors are very aware of how to exploit unprotected mission-critical applications, and are, in fact, actively doing so.  

For example, in a recent high-profile attack, the organization was subjected to a ransomware attack on their ERP applications.

Despite implementing good security hygiene such as regular back-ups, their operations were brought to a stand-still. This lapse in productivity can last for days and the damage to reputation and costs are substantial. Attackers simply bypassed the endpoint detection and response (EDR) software by accessing the data through the application. EDR is a crucial component, but the application level still remains a blind spot, and a vulnerability. The attackers, in this example, used that application layer, which was not being directly monitored, in order to compromise the business-critical assets. 

Of course, traditional cyber-security is in place at many companies, but when the attack is a Trojan Horse it’s hard to detect. With SAP systems this issue becomes even more critical with access to a company’s mission-critical production systems the impact would be devastating.  

So, what is needed to protect your organization’s business-critical applications from the inevitability of an attempt at ransomware? That is exactly the question we will address in this blog post as an SAP Certified Application Development Partner with our focus on securing the SAP technology platform. Traditional security tends to focus on endpoint, network, and back-ups. All of which are essential components in security, but as is clearly evident, are not adequate in preventing successful attacks.  

SAP is a challenging environment that requires constant patching and often contains custom code for which there are no known patches. Attackers are all too aware of this and evidence shows that known vulnerabilities are being targeted because these systems are business-critical and are inter-connected with substantial complexity. 

Vulnerabilities such as RECON, and PayDay allow threat actors to take full control of applications through the application layer itself, and, once in, go down to the operating system level. In addition to essential vulnerability management and efficient patching, the solution to this challenge is to start by having robust accurate real-time threat monitoring powered by advanced technology such as anomaly detection so that no matter how much these threat actors change their attack vectors, the anomaly is detected and reported and triaged in real-time. Gartner fully endorses this strategy, that organizations should “implement a risk-based vulnerability management process that includes threat intelligence.  Ransomware often relies on unpatched systems to allow lateral movement. This should be a continuous process. The risk associated with vulnerabilities changes as these vulnerabilities are exploited by attackers.”

This will stop a successful attack:  

  1. Real-time threat monitoring so that attacks can be detected and remediated before harm is done.

  2. Actionable intelligence. Having results that produce false positives is frustrating and time-wasting when time is a vital ally.

  3. Effective Hardening of Business-Critical Applications and guidance on how and where to patch.

  4. A unified Platform Approach where custom-code and applications are scanned simultaneously.

  5. Integration with a Security Information Event Management (SIEM) so that the wider security team outside of SAP can have instant access to hundreds of use-cases.

  6. Corporate commitment to compliance and governance in securing mission-critical applications and code. 

SAP delivers security updates through support packages, and, publishes security notes with the latest security corrections and recommendations. SecurityBridge provides patching advisories and guidance through what can be an overly complicated challenge to understand how and where to patch.  

Summary

Ransomware is a different animal to most attacks in that it is very lucrative and increasingly easy for nefarious actors to be successful with impunity. Add to this that the opportunities for attacks have vastly increased with remote working due to Covid, and the complexities of custom code, cloud deployments, and a strain on InfoSec resources. While these factors might make ransomware attacks more likely, it does not necessarily mean they will lead to a successful attack. With SecurityBridge, you can always be one step ahead of the attackers, being alerted in real-time as to what the level of threat actually is, and being able to remediate where appropriate before the attacker has time to execute the threat. 

Posted by

Christoph Nagy

Automate patch management processes with SecurityBridge™

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Hybride SAP und Non-SAP-Landschaften brauchen Security

SAP-Integration von Cloud- und Non-SAP-Anwendungen steht weit oben auf der Agenda vieler IT-Organisationen— dies bereitet den Security-Verantwortlichen zusätzliches Kopfzerbrechen. Warum? Weil die Komplexität weiter zunimmt, die IT-Landschaften durch neue Interfaces noch undurchsichtiger werden und die Risiken überproportional steigen.

How to implement and enforce a security baseline for SAP ?

Join and listen to our webinar, to learn how you can use the SecurityBridge platform to define and apply one or multiple baselines, receive alerts whenever the system again deviates…
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.