Discovered Critical Flaw allows Geo-Poli-Cyber™ hackers to breach SAP systems | National & Corporate Cyber-Survivability risks increased| Exclusive

Survivability News Exclusive Special Report.

SAP NetWeaver Application Server Java vulnerability can be exploited without authentication and lead to complete system takeover by Geo-Poli-Cyber hackers putting Nation states and businesses under new and increased Cyber-Survivability risk. 

21st Century Cyber Race & Warfare

This is one of the many new vulnerabilities that are being discovered on daily and weekly basis. Such technical vulnerabilities can be exploited by common and random cyber criminals motivated by financial gain. But more concerning are the Geo-Poli-Cyber targeted hackers who are motivated by political, ideological, extremist and false religious agendas putting National and Corporate Cyber-Survivability under continuously growing risk exposure.

The world may need to be reminded of earliest Geo-Poli-Cyber hacks of this decade and their impact. The not-financial but politically motivated hacks of Iran’s Nuclear reactor in 2010 and on the world’s largest oil company Saudi ARAMCO in 2012 had devastating economic and political impact on their respective nations. 

“Stakeholders must recognise that the world today is in a new cyber warfare race. Bad actors are leveraging the breakneck speed of technology to advance their hacking capabilities to perpetrate their extremist, terrorist, ideological, and political agendas. National and corporate leaders cannot afford to lose this race on any given day. Their Effective National Survivability as well as their Corporate Competitive Survivability are at stake. And technology alone cannot defend or mitigate Geo-Poli-Cyber motivated hacks” said an MLi Group Cyber Survivability expert.   

Fortunately, this vulnerability was identified and SAP users can and should immediately deploy a newly released patch for a critical vulnerability that could allow hackers to compromise their systems and the data they contain. The flaw is in a core component that exists by default in most SAP deployments and can be exploited remotely without the need of a username and password. Unfortunately, many vulnerabilities remain unknown and undetected for extended period of time, without an internal audit, and leaving stakeholder exposed with knowing it.
“While vulnerabilities can be exploited by financially motivated hackers, the serious risks is exponentially magnified by Geo-Poli-Cyber motivated hackers” said an MLi Group Survivability & Security expert who also added: “cyber terrorist groups with the devastation/destruction motivation as well as enemy adversary national security agencies of enemy and adversary who are intent on altering the economic and political directions of nations and corporations.”
MLi Group is the parent company of Survivability News and who has been been warning and helping governments and organizations mitigate these threats since 2013. 
Researchers from a security firm who found and reported the vulnerability estimate that 40,000 SAP customers worldwide might be affected. Over 2,500 vulnerable SAP systems are directly exposed to the internet and are at higher risk of being hacked, but attackers who gain access to local networks can compromise other deployments.

Technical and Geo-Poli-Cyber Impact of the SAP Vulnerability?

The vulnerability is tracked as CVE-2020-6287 and is in the SAP NetWeaver Application Server Java, which is the software stack underlying most SAP enterprise applications. Versions 7.30 to 7.50 of NetWeaver Java are affected — including the latest one — and all the Support Packages (SPs) released by SAP.

The vulnerability, which has also been dubbed RECON (Remotely Exploitable Code on NetWeaver), has the highest possible severity rating (10) in the Common Vulnerability Scoring System (CVSS) because it can be exploited over HTTP without authentication and can lead to a full compromise of the system. The flaw allows attackers to create a new user with administrative role, bypassing existing access controls and segregation of duties.

“Having administrative access to the system will allow the attacker to manage (read/modify/delete) every database record or file in the system,” was the initial warning. “Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance.”

The vulnerability exposes organizations to various types of attacks and especially geopolitical and Geo-Poli-Cyber motivated hacks. Hackers could use it to steal personally identifiable information (PII) belonging to employees, customers and suppliers; read, modify or delete financial records; change banking details to divert payments and modify purchasing processes; corrupt data; or disrupt the operation of the systems financial losses due to business downtime. All these can be leveraged for geopolitical goals that can cause severe damage to nation’s national Survivability and security and economic standing. Moreover, The flaw also allows attackers to hide their tracks by deleting logs and execute commands on the operating system with the SAP application’s privileges making it almost impossible to assign attribution. 

The affected SAP applications include SAP S/4HANA Java, SAP Enterprise Resource Planning (ERP), SAP Supply Chain Management (SCM), SAP CRM (Java Stack), SAP Enterprise Portal, SAP HR Portal, SAP Solution Manager (SolMan) 7.2, SAP Landscape Management (SAP LaMa), SAP Process Integration/Orchestration (SAP PI/PO), SAP Supplier Relationship

Management (SRM), SAP NetWeaver Mobile Infrastructure (MI), SAP NetWeaver Development Infrastructure (NWDI) and SAP NetWeaver Composition Environment (CE).

However, SAP systems are generally interconnected with other third-party systems to exchange data and automate tasks using APIs. The SAP Process Integration/Orchestration (SAP PI/PO) plays a central role in such integrations and its compromise could give attackers access to credentials for other non-SAP systems and databases as well.

Has Your National Cyber Security Authority Acted yet?

SAP was notified of the vulnerability in May and the company was quick to develop a patch because of the seriousness of the issue and the ease of exploitation. As a result, the US Cybersecurity and Infrastructure Security Agency (CISA) and the German government’s Computer Emergency Response Team (CERT-Bund) have also been notified and have prepared their respective advisories to their stakeholders.

“It remains unclear how many National Security Authorities and Agencies around the world have acted on this to date. Nor is it clear as to the type of actions they took which are often in the form of new “best practices” and “revised guidelines” instead of  strict and timely compliance becoming requirements needed” added the MLi Group Cyber Survivability expert. 

Call to Action

With new vulnerabilities being discovered on daily and weekly basis. This is an ever increasing threat exposure that is putting national and corporate cyber Survivability at continuously growing risk.

MLi Group and Survivability News recommend that stakeholders conduct immediate and periodic Cyber Survivability & Security Audits.

The Audits would include Geo-Poli-Cyber risk assessment and exposure as well as cyber security vulnerability risk assessment. Both Audits will conclude with recommended comprehensive mitigation strategies, solutions and services to be considered and prioritized,  many of which may not have been considered before.  


Are you Citizen-Journalist Material?

Have a tip or scoop? Do you have info about corruption that needs to be investigated and responsibly exposed ? Get in touch securely via WhatsApp at +44 7771 927378 | Signal at +447766 098270

Receive Exclusives, Features & News Updates


What Are
Cyber™ Risks?

What Is Geo-Poli-Cyber™?

MLi Group created the terms Poli-Cyber™ and Geo-Poli-Cyber™ (GPC™) in 2012 and 2013 based on the philosophy that if you cannot identify and name the threat, you cannot mitigate that threat.

Geo-Poli-Cyber™ attacks are political, ideological, terrorist, extremist, ‘religious’, and/or geo-politically motivated.

Click to read more