SAP (NYSE: SAP) and Onapsis today jointly released a cyber threat intelligence report providing actionable information on how malicious threat actors are targeting and potentially exploiting unprotected mission-critical SAP applications. The companies have worked in close partnership with the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Germany’s Federal Cybersecurity Authority (BSI), advising organizations to take immediate action to apply long-available SAP patches and secure configurations, and perform compromise assessments on critical environments.
SAP and Onapsis are not aware of known customer breaches directly related to this research. The report also does not describe any new vulnerabilities in SAP cloud software as a service or SAP’s own corporate IT infrastructure. Both companies, however, note that many organizations still have not applied relevant mitigations that have long been provided by SAP. Customers who fail to apply these protective measures and allow unprotected SAP® applications to continue to operate put themselves and their business at risk.
The intelligence captured by Onapsis and SAP highlights active threat activity seeking to target and compromise organizations running unprotected SAP applications, through a variety of cyberattack vectors. Observed exploitation techniques would lead to full control of the unsecured SAP applications, bypassing common security and compliance controls, and enabling attackers to steal sensitive data, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations. These threats may also have regulatory compliance implications for organizations that have not properly secured their environments.
“This proactive research effort is the latest example of our commitment to ensure our global customers remain protected,” said Tim McKnight, chief security officer, SAP. “We’re releasing the research Onapsis has shared with SAP as part of our commitment to help our customers ensure their mission-critical applications are protected. This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments and proactively assessing them for signs of compromise.”
The scope of impact from these specific vulnerabilities is localized to customer deployments of SAP products within their own data centers, managed colocation environments or customer-maintained cloud infrastructures. None of the vulnerabilities are present in cloud solutions maintained by SAP.
“As a SAP partner for cybersecurity and compliance, we have observed firsthand the outstanding improvements SAP has made in the recent years to develop more secure software, patch critical vulnerabilities faster and overall proactively ensure SAP customers are secure,” said Mariano Nunez, CEO and cofounder of Onapsis. “The critical findings noted in our report describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years. Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes. Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action.”
To support customers that require investigation, threat remediation and additional post-compromise security monitoring, Onapsis is offering a 3-month free subscription to the Onapsis Platform for Cybersecurity and Compliance, an SAP endorsed app that can be accessed through SAP Store.
Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems — ERP, CRM, PLM, HCM, SCM and BI applications — from leading vendors such as SAP, Oracle, Salesforce and others.
Onapsis is headquartered in Boston, MA, with offices in Heidelberg, Germany and Buenos Aires, Argentina. We proudly serve more than 300 of the world’s leading brands, including 20% of the Fortune 100, 6 of the top 10 automotive companies, 5 of the top 10 chemical companies, 4 of the top 10 technology companies and 3 of the top 10 oil and gas companies.
The Onapsis Platform is powered by the Onapsis Research Labs, the team responsible for the discovery and mitigation of more than 800 zero-day vulnerabilities in mission-critical applications. The reach of our threat research and platform is broadened through leading consulting and audit firms such as Accenture, Deloitte, IBM and PwC — making Onapsis solutions the standard in helping organizations protect their cloud, hybrid and on-premises mission-critical information and processes.
For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com.
SAP’s strategy is to help every business run as an intelligent enterprise. As a market leader in enterprise application software, we help companies of all sizes and in all industries run at their best: 77% of the world’s transaction revenue touches an SAP system. Our machine learning, Internet of Things (IoT) and advanced analytics technologies help turn customers’ businesses into intelligent enterprises. SAP helps give people and organizations deep business insight and fosters collaboration that helps them stay ahead of their competition. We simplify technology for companies so they can consume our software the way they want — without disruption. Our end-to-end suite of applications and services enables business and public customers across 25 industries globally to operate profitably, adapt continuously and make a difference. With a global network of customers, partners, employees and thought leaders, SAP helps the world run better and improve people’s lives. For more information, visit www.sap.com.
# # #
Any statements contained in this document that are not historical facts are forward-looking statements as defined in the U.S. Private Securities Litigation Reform Act of 1995. Words such as “anticipate,” “believe,” “estimate,” “expect,” “forecast,” “intend,” “may,” “plan,” “project,” “predict,” “should” and “will” and similar expressions as they relate to SAP are intended to identify such forward-looking statements. SAP undertakes no obligation to publicly update or revise any forward-looking statements. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. The factors that could affect SAP's future financial results are discussed more fully in SAP's filings with the U.S. Securities and Exchange Commission ("SEC"), including SAP's most recent Annual Report on Form 20-F filed with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates.
© 2021 SAP SE. All rights reserved.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Please see https://www.sap.com/copyright for additional trademark information and notices.
Note to editors:
To preview and download broadcast-standard stock footage and press photos digitally, please visit www.sap.com/photos. On this platform, you can find high resolution material for your media channels. To view video stories on diverse topics, visit www.sap-tv.com. From this site, you can embed videos into your own Web pages, share video via email links, and subscribe to RSS feeds from SAP TV.
Global Customer Center: +49 180 534-34-24
United States Only: 1 (800) 872-1SAP (1-800-872-1727)