What do recent public SAP exploits mean for enterprises? | TECH(talk)


hi and welcome back to TECHtalk I’m Ken
Mingis executive editor at computer world
I’m here with CSO’s Lucian Constantin to talk about a big SAP exploit that
could get a lot of companies in trouble stick around solution thanks for being
here I know it later in the day in the Romanian Bureau there and so I
appreciate you taking a few minutes to to talk about this sapa exploit i you
know we were talking a little bit a minute ago that I guess it’s known as
10k blaze although we’re not quite sure the you know where that name came from
but what what is it what can it do and why should companies be concerned about
it so this exploits they’re more like they’re not a technical vulnerability in
the sense they are not a code ball there are misconfigurations or insecure
default configurations that have been known for for a decade now and they are
in two components of Sapa environments or ASAP deployments called the SE peak
gateway in the acp message server and se has known about this for a long time and
that it have been several alerts he should over the years wave guidance on
how to mitigate these problems and then later security researchers came up with
some variations where they can bypass and ACP came with other guidance and
things like that the problem is that it’s the problem is the it’s very hard
to patch a city or to change some configuration in SA P deployments
because of all the historical burden because many enterprises do a lot of
customizations to these systems researchers from an abscess estimate
that on average companies add two million lines two million lines of code
to the recipe deployments so making a changing or setting an important same
thing like that could obviously lead to incompatibilities with those
customizations it can break stuff can cause downtime and these are business
critical applications and no one can afford to have significant downtime with
them because that means incurring losses and these components are used are
critical for a lot of SI p applications like as for Hana ERP enterprise resource
planning product lifecycle management customer relationship management CRM
human capital management supply chain management supplier relationship
management basically and and a few others
all that use NetWeaver business warehouse netweaver a bad publication
server any application that uses that component so this effect a lot of can
impact a lot of applications that not necessarily depends on on own
configuration but on AB C’s estimates that one in ten system ICP systems
deployed by more than 50,000 ACP customers worldwide from its customer
base of 400,000 are are they are vulnerable to this so yeah I’m glad you
pointed that yeah the way I was looking at it this is you know from you you’ve
written about this earlier this month and I read it as saying that potentially
nine out of ten is that what you were saying nine out of ten systems could be
potentially vulnerable as ap systems so they estimate that around 50,000
customers out of 400,000 have one of these potentially affected applications
okay and of those that have one of these potentially affected applications nine
out of ten of their systems is they estimate is affected right so a subset
of customers and nine out of ten of those customers it surprises me there’s
I’m sorry go ahead yeah because I mean like deployment ap
deployment involves multiple systems obviously it’s not having one system for
enterprise these are are talking about tens of systems across a large
enterprise system yeah what I was gonna say is it surprises me that you know
this is obviously a configuration issue it’s it’s this is not completely out of
the blue I mean this you know the this vulnerability that’s now being exploited
has been has been there and I’m just sort of surprised that either companies
haven’t gotten the message yet and figured out that they need to close this
or configure these systems in a way that they’re they’re less vulnerable to this
or that s ap hasn’t been able to do something to sort of you know close off
these attack vectors do we see that is there is there something that companies
are missing here or that s ap is missing that that might you know help avoid
future problems for companies that have their software so one of the
configuration issues can be can be changed and patched pretty easily for
the other one it’s a more involved process an abscess estimates that it’s a
it’s a process that can take up to a year for a large enterprise because it
involves modifying other systems and other systems and other other things so
companies even if they knew about these issues they’ve been putting them off
because of the complexity of making such as a change across their entire system
the danger now is that while these vulnerabilities or miss configurations
had been known for a while now they are exploits publicly available because some
researchers released them at a conference and they are now on github
and which makes them accessible to obviously a larger larger number of
attackers and even unskilled attackers because up until this point attacks
against ERP system so business systems that contain business data was more of a
nation-state type of cyber espionage attack right right but now since this
exploits are are very easy to use there are it just required to have like Python
installed and it’s point-and-click if if the server is available on the Internet
it’s very easy to exploit now it basically any any kid can do it right
any hacktivist who’s upset about something a company did any ransomware
type of of attack and can destroy or delete data
and obviously also the more sophisticated attacks which could mean
manipulating the data inside so I you could use this to to force the company
to file false reports to the securities agencies and and then impact their stock
price right so you can if you if you do it right you can actually manipulate the
stock price because you know in advance that it will come out and and you can
benefit from it so in that in that one of the reasons we were thinking that
it’s called 10k blaze because it would allow activists is somehow you know
manipulate the data in a company’s 10k filing which as you say if they know
that they’re doing this that this is going to come out that the data that
accompanies reporting is now wrong you know that could certainly affect the
company’s bottom line and their stock price and you know just caused a lot of
turmoil for the company and even in you know the larger markets there if these
activists get very smart and and targeted at what they’re doing should do
about this is they they have to start I mean that’s that’s the whole point of
this alert and the u.s. donax alert is that this exploiter
are now out there the the risk is now higher of attacks targeting the system
securing and companies should start doing it because it’s gonna take some
time so it’s not it’s not going to be an overnight fix so they should get there
ASAP service provider together with the cybersecurity vendor their cybersecurity
vendor and ask them to figure it out so first they should deploy monitoring
capabilities another problem with this is that not many Network firewalls or
network scanners and things like that monitoring tools had detections
for ACP exploits or ACP attacks or ERP attacks in general because while
this particular vulnerability is for ASP deployment I from my experience work or
your applications are not free of vulnerabilities either I mean you just
have to look at that there are quarterly patches and you’ll see highly critical
vulnerabilities every single patch cycle so these types of attacks might might
start targeting this type of systems in general so you need monitoring for for
this type of exploits that’s why own Apps is released this
detection signatures for this particular vulnerabilities or tags for the snort
which is an open source intrusion detection system network based intrusion
detection system so now anyone I mean it’s they don’t have to
necessarily have a paid product if they use snort which is open source they can
just download these definitions their fill available they can monitor their
networks to see if there are any attacks going on and obviously start working on
on changing the configurations and doing all the all that’s needed to fix this
and it’s it’s going to take some time you know I think depends on how large
their deployment is right and how complex it is and how they may have
modified it yeah it does seem like the the most important point here is that
companies have to start on this like yesterday because you know these exploit
this exploits out there it’s now being spread around among you know many more
potential hackers and hacktivists than would have had access to it in the past
monitoring is an issue and because it takes such a long time to you know to
change the configurations and figure out where the vulnerability is you know this
is not something that a company should be waiting on right report out last year
where of signs of attackers actually targeting this system so they’ve noticed
campaigns by heckuva spy nation-states and a lot of talk on the underground
forums about a.s.a.p exploit or ARP exploits in general so clearly cyber
both side criminals and more sophisticated actors
have one interest in in targeting such systems so this this attacks are likely
to come at some point they might not be a very high level of attacks against ERP
systems now but with this exploits out there and with the interest shown by
attackers they will start to rise in numbers and honestly we don’t even know
because if you don’t have monitoring capabilities as a company you might not
even know that your system has been compromised and it can go we could go
unnoticed for years I mean like malware infections go unnoticed for for hundreds
of days sometimes based on own reports imagine something like this it would go
unnoticed for years so if there’s no public reporting about such compromises
we don’t really know how many attacks have actually happened so far yeah I was
just gonna say the the sort of scary point is that there may have already
been attacks that companies are not aware of so this is you know a very
cautionary tale and I think you know you make the point that being forewarned is
forearmed if you get an SI P system that that’s vulnerable to 10k blaze you
better be on top of that now and you should be looking for monitoring tools
that can check and see if you’ve already been you know been hacked and and maybe
data changed or you know data that’s been breached
obviously we’ll keep an eye on that I know you will and you know monitor this
stuff to see if if you know public attacks become become obvious I think
for now though that’s you know that’s a really that’s a lot of information that
I think companies need to know and you know I appreciate the the insights and
share my my knowledge about know I think it’s important I really do you know you
do you do have an understanding of this and I think that’s why you know this is
an important message for companies with sa P deployments Lucian I will let you
go again like I say I know it’s late today there thanks to the update and
we’ll circle back with you later on during the year and try to track down
and see if this is uh you know how this is going whether it’s getting worse or
not okay thanks a lot thank you
okay thanks a lot thank you as a reminder you can subscribe to our
channel if you like what you’re seeing here on Tech Talk for now that’s it for
me can Mingus and Lucien that’s a wrap

, , , , , , , , , , , , , , ,

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *