Steps US-CERT recommends that potential victims can take:
In addition, US-CERT encourages that users and administrators:
- Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.
- Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
- Analyze systems for malicious or excessive user authorizations.
- Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
- Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
- Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
- Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
The vulnerability has not only been known for years, but indicators of compromise associated with the attacks has also been well known, Onapsis says. “[T]he reality (and what we believe makes this research even more interesting) is that these indicators had been silently sitting in the public domain for several years" at a digital forum registered in China, the company’s alert says. “Therefore, we don’t have reasons to correlate this activity with a nation-state sponsored campaign or a coordinated group effort. However, we know for a fact that this is just the tip of the iceberg.”
According to SAP, it has 310,000 customers in 190 countries, 80% of them small and midsize enterprises. Known businesses affected by the exploit are in the China, Germany, India, Japan, South Korea, the United Kingdom and the United States. The affected businesses operate in a range of industries including oil and gas, telecommunications, utilities, retail, automotive and steel manufacturing, Onapsis says.
Sign up for CIO Asia eNewsletters.