Discovered Critical Flaw allows Geo-Poli-Cyber™ hackers to breach SAP systems | National & Corporate Cyber-Survivability risks increased| Exclusive
Survivability News Exclusive Special Report.
SAP NetWeaver Application Server Java vulnerability can be exploited without authentication and lead to complete system takeover by Geo-Poli-Cyber hackers putting Nation states and businesses under new and increased Cyber-Survivability risk.
21st Century Cyber Race & Warfare
This is one of the many new vulnerabilities that are being discovered on daily and weekly basis. Such technical vulnerabilities can be exploited by common and random cyber criminals motivated by financial gain. But more concerning are the Geo-Poli-Cyber targeted hackers who are motivated by political, ideological, extremist and false religious agendas putting National and Corporate Cyber-Survivability under continuously growing risk exposure.
The world may need to be reminded of earliest Geo-Poli-Cyber hacks of this decade and their impact. The not-financial but politically motivated hacks of Iran’s Nuclear reactor in 2010 and on the world’s largest oil company Saudi ARAMCO in 2012 had devastating economic and political impact on their respective nations.
“Stakeholders must recognise that the world today is in a new cyber warfare race. Bad actors are leveraging the breakneck speed of technology to advance their hacking capabilities to perpetrate their extremist, terrorist, ideological, and political agendas. National and corporate leaders cannot afford to lose this race on any given day. Their Effective National Survivability as well as their Corporate Competitive Survivability are at stake. And technology alone cannot defend or mitigate Geo-Poli-Cyber motivated hacks” said an MLi Group Cyber Survivability expert.
Technical and Geo-Poli-Cyber Impact of the SAP Vulnerability?
The vulnerability is tracked as CVE-2020-6287 and is in the SAP NetWeaver Application Server Java, which is the software stack underlying most SAP enterprise applications. Versions 7.30 to 7.50 of NetWeaver Java are affected — including the latest one — and all the Support Packages (SPs) released by SAP.
The vulnerability, which has also been dubbed RECON (Remotely Exploitable Code on NetWeaver), has the highest possible severity rating (10) in the Common Vulnerability Scoring System (CVSS) because it can be exploited over HTTP without authentication and can lead to a full compromise of the system. The flaw allows attackers to create a new user with administrative role, bypassing existing access controls and segregation of duties.
“Having administrative access to the system will allow the attacker to manage (read/modify/delete) every database record or file in the system,” was the initial warning. “Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance.”
The vulnerability exposes organizations to various types of attacks and especially geopolitical and Geo-Poli-Cyber motivated hacks. Hackers could use it to steal personally identifiable information (PII) belonging to employees, customers and suppliers; read, modify or delete financial records; change banking details to divert payments and modify purchasing processes; corrupt data; or disrupt the operation of the systems financial losses due to business downtime. All these can be leveraged for geopolitical goals that can cause severe damage to nation’s national Survivability and security and economic standing. Moreover, The flaw also allows attackers to hide their tracks by deleting logs and execute commands on the operating system with the SAP application’s privileges making it almost impossible to assign attribution.
The affected SAP applications include SAP S/4HANA Java, SAP Enterprise Resource Planning (ERP), SAP Supply Chain Management (SCM), SAP CRM (Java Stack), SAP Enterprise Portal, SAP HR Portal, SAP Solution Manager (SolMan) 7.2, SAP Landscape Management (SAP LaMa), SAP Process Integration/Orchestration (SAP PI/PO), SAP Supplier Relationship
Management (SRM), SAP NetWeaver Mobile Infrastructure (MI), SAP NetWeaver Development Infrastructure (NWDI) and SAP NetWeaver Composition Environment (CE).
However, SAP systems are generally interconnected with other third-party systems to exchange data and automate tasks using APIs. The SAP Process Integration/Orchestration (SAP PI/PO) plays a central role in such integrations and its compromise could give attackers access to credentials for other non-SAP systems and databases as well.
Has Your National Cyber Security Authority Acted yet?
SAP was notified of the vulnerability in May and the company was quick to develop a patch because of the seriousness of the issue and the ease of exploitation. As a result, the US Cybersecurity and Infrastructure Security Agency (CISA) and the German government’s Computer Emergency Response Team (CERT-Bund) have also been notified and have prepared their respective advisories to their stakeholders.
“It remains unclear how many National Security Authorities and Agencies around the world have acted on this to date. Nor is it clear as to the type of actions they took which are often in the form of new “best practices” and “revised guidelines” instead of strict and timely compliance becoming requirements needed” added the MLi Group Cyber Survivability expert.
Call to Action
With new vulnerabilities being discovered on daily and weekly basis. This is an ever increasing threat exposure that is putting national and corporate cyber Survivability at continuously growing risk.
MLi Group and Survivability News recommend that stakeholders conduct immediate and periodic Cyber Survivability & Security Audits.
The Audits would include Geo-Poli-Cyber risk assessment and exposure as well as cyber security vulnerability risk assessment. Both Audits will conclude with recommended comprehensive mitigation strategies, solutions and services to be considered and prioritized, many of which may not have been considered before.