Skip to main content

SAP Vulnerable to Ransomware Attacks

The SAP scheduled monthly patch roll-out corrected a vulnerability in the SAP GUI that allows an attacker to bypass security controls and execute code on the user's system.
Threat ID:
CC-1300
Category:
Ransomware
Threat Severity:
Low
Threat Vector:
Insecure network, Exploit
Published:
30 March 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

The SAP scheduled monthly patch roll-out corrected a vulnerability in the SAP GUI that allows an attacker to bypass security controls and execute code on the user's system.

Threat details

The Saphyra iDDoS Priv8 Tool targets the application layer of the Open System Interconnection (OSI) model which results in a HTTP flood DDoS attack and it very hard to defend against.This can result in ransomware being deployed that could in turn infect every SAP endpoint as they connect to the server.

SAP provides a range of enterprise resource planning software, including product planning, manufacturing, finance, shipping and more. As standard, any critical action on the SAP GUI is protected by a confirmation prompt, but there is an omission for a particular executable file.

To exploit this vulnerability an attacker would first need to compromise the SAP NetWeaver ABAP server by other means. They would then craft a SAP transaction that will execute a command on remote SAP GUI clients whenever a client logs in.

The attacker can use the command to infect a client system with ransomware when the client logs into the main server. As each client is individually infected it will be treated as a separate ransomware infection, spreading the ransomware quickly through the network of SAP clients. Each system will be issued its own ransom and payment address to unlock the data.

Remediation steps

Type Step
  • Ensure both SAP NetWeaver ABAP server and SAP GUI are both fully patched.
  • Where possible ensure the SAP NetWeaver ABAP server is only reachable from trusted network locations.
  • Ensure a comprehensive backup policy is in place, including secure off site storage - see the Best Practice Guide Ransomware - Controls to avoid infection.

Last edited: 17 February 2020 11:38 am