Profiling a SAP Hacker

Ivan Mans
Author: Ivan Mans
Date Published: 10 October 2023

As with any software application or system, SAP systems have vulnerabilities that attackers may exploit, whether they are insiders or external adversaries. SAP information is precious to a hacker because it stores a vast amount of sensitive financial data, customer information and intellectual property, which makes it an attractive target for attackers. Moreover, SAP systems are critical to 99 of the 100 largest enterprises in the world1—a successful cyberattack would cause significant disruption, reputational damage and financial loss.

To mitigate the risk of cyberattacks, organizations must keep their SAP systems up-to-date with the latest security patches and updates identified during SAP's monthly Security Patch Day.2 In addition, regularly conducting vulnerability assessments to identify and remediate security gaps significantly reduces attack vectors.3 However, it is important to understand how internal and external SAP attackers differ in their levels of access and proximity to the SAP system. Gaining awareness of their attack profiles can help prevent enterprises from being subjected to unfortunate and embarrassing cyberincidents.

Risk From SAP’s Internal Environment

Internal SAP attackers are individuals or entities who already have access to the SAP system as employees, contractors or partners. They have legitimate access to the system, but misuse their privileges to carry out malicious activities such as stealing sensitive data, sabotaging the system or installing backdoors for future exploitation.

It is possible for insider attacks to occur in the application security domain, which falls under the category of internal cybersecurity risk. Such attacks may involve data theft or malicious manipulation of business information, among other things.

Analyzing application logs is typically the most effective method for detecting insider behavior anomalies, but this can be difficult to do for SAP applications due to the sheer number of logs that exist. Monitoring the most critical SAP S/4HANA logs is essential for detecting fraud and malicious manipulation. The speed of response depends on whether automatic notifications are in place and whether monitoring and evaluation are performed manually or periodically. The level of risk assigned to corresponding log items is highly individual and depends on various factors unique to each organization.

The level of risk assigned to corresponding log items is highly individual and depends on various factors unique to each organization.

Risk From Outside SAP’s Environment

External SAP attackers are individuals who or entities that do not have legitimate access to the SAP system and must breach its defenses to carry out their attacks. They may use various methods, such as exploiting vulnerabilities in the system, social engineering, or phishing, to gain access to the system. Once they have gained access, they may carry out various attacks such as stealing data, installing malware or launching denial-of-service (DoS) attacks.

The hypertext transfer protocol (HTTP) smuggling vulnerability, Internet Communication Manager Advanced Desync (ICMAD), is an example of an external SAP vulnerability. This vulnerability is identified as CVE-2022-22536,4 CVE-2022-22532,5 and CVE-2022-225336 for the SAP Web Dispatcher. The SAP Web Dispatcher is often a proxy between the SAP application and insecure networks. In the case of this vulnerability, which is accessible from the outside, it is classified as an external risk, propagated by special attackers.7

Because there are many vulnerabilities to consider, a rating classification helps align priorities. But even rating scores fluctuate, so the ultimate decision of when to act must be made by the cybersecurity professional. Case in point: The SAP vulnerability example ICMAD can be rated using the standardized Common Vulnerability Scoring System (CVSS), which results in a score of 10.0 (very high) based on a scale that ranges from 1.0 (low) to 10.0 (very high). Attackers also sometimes take advantage of multiple vulnerabilities with lower CVSS scores in chains to reach their target. Hence, it is vital to not only look for the highest CVSS score when patching SAP security issues.

However, the CVSS rating system is not the only source for a specific vulnerability rating. Security administrators should consider actual exploitation, too (e.g., by comparing the CVSS score with the rating from a threat intelligence company such as Mandiant). Mandiant evaluates vulnerabilities based on real attack information. In the case of an absence of known exploitation, Mandiant's experts downgrade the SAP risk with a CVSS score of very high to high. Whether an individual vulnerability rating should be increased or lowered also depends on the external exposure of the SAP system, including critical access paths within the SAP landscape.

Who Is More Dangerous?

Both external and internal SAP cyberattacks can be equally damaging, and it is difficult to determine which attack is worse. The severity of the attack depends on various factors such as the type of attack, the level of access gained, the sensitivity of the data compromised, and the speed and effectiveness of the response.

Internal SAP attackers may have advantages compared to external attackers, because internal attackers have more in-depth knowledge of the system and its vulnerabilities. As such, internal attacks could pose a more significant threat. For example, it can be devastating to an enterprise’s profits and reputation if an employee sells SAP HANA secrets to a competitor or defaces its website or ecommerce platform.

External SAP cyberattacks may be more challenging to conduct, because attackers must first breach the system's defenses. Once they gain access, they can cause severe damage, since they can operate from a position of anonymity and exploit vulnerabilities. Furthermore, external hackers usually seek information they can sell or use for profit. In addition, external attacks may be challenging to detect because the attackers are not part of the organization and may not leave any traceable digital footprints.

Conclusion

SAP systems are vulnerable to external and internal cyberattacks, and both types of attackers have unique advantages in achieving their nefarious goals. The internal SAP attackers may have more knowledge of the enterprise security process, the system and its vulnerabilities, making it easier for them to carry out their attacks, but once external attackers gain system access, they can operate from a position of anonymity and continue to exploit vulnerabilities for long periods.

Organizations must act on this knowledge by taking a proactive approach to cybersecurity and implementing appropriate security controls, regularly monitoring the system and training employees to identify and prevent all cyberthreats to their SAP systems.

Endnotes

1 SAP, SAP Corporate Fact Sheet, 16 May 2023
2 SAP, SAP Security Notes
3 Security Bridge, Automate and Simplify Vulnerability Management for SAP Applications and Custom Code
4 National Institute of Standards and Technology, “CVE-2022-22536 Detail,” USA, 2022
5 National Institute of Standards and Technology, “CVE-2022-22532 Detail,” USA, 2022
6 National Institute of Standards and Technology, “CVE-2022-22533 Detail,” USA, 2022
7 Mans, I.; “Who Are the Typical SAP Attackers?,” SecurityBridge, 1 September 2022

Ivan Mans

Is an experienced SAP technology consultant who has worked in the SAP space since 1997. In 2012, he cofounded SecurityBridge. In his current role as chief technology officer (CTO), he is a motivated driver who inspires people and pushes technology, contributing to the continuous innovation of the SecurityBridge Platform. In recent years, Mans has been a regular speaker at SAP events where he evangelizes about SAP security.