ERP Threat Report
A recent study by Flashpoint and Onapsis found that business-critical SAP applications are increasingly becoming the focus of cybercriminals. The report shows a significant increase in the number of threat actors targeting SAP vulnerabilities and provides organizations with valuable information to protect their business-critical SAP applications from these threats. The Onapsis Research Labs report highlights the evolution of the SAP threat landscape over the past four years. It shows the growing maturity of this cybercriminal market and the challenges facing the defense side.
2023 was a critical point: cyberattacks on SAP applications have reached a new high and interest from established threat actors and state-sponsored cyber espionage groups has increased significantly. However, all SAP vulnerabilities observed in the report were patched by SAP several years ago. In addition, the ERP company immediately provided its customers with the relevant security advisories. The high level of cyber activity nevertheless indicates that threat actors are still targeting companies with weak SAP cybersecurity governance. The problem is becoming more acute as more and more customers migrate SAP applications to the cloud. This makes them even more exposed to the threat. Research by Onapsis and Flashpoint shows that established professional threat actors and state-sponsored groups are targeting SAP applications more and more aggressively. Their aim is espionage, sabotage or the generation of financial gain. Since 2021, research has shown a 400% increase in ransomware incidents in which SAP systems and data have been compromised at victim companies. As demonstrated by Onapsis Research Labs and CISA, the US Federal Cybersecurity and Infrastructure Security Agency, ransomware campaigns exploit unpatched SAP vulnerabilities, among other things.
Cybercrime on the rise
Ransomware groups have repeatedly modified their malware software in recent years in order to better identify SAP applications and collect or encrypt targeted data. In the period between 2021 and 2023, conversations and exchanges about SAP vulnerabilities on the deep and dark web increased almost fivefold (an increase of 490 percent). Interest in SAP vulnerabilities in cybercriminal forums is increasing significantly. Between 2021 and 2023, discussions in cybercriminal forums about SAP-specific cloud and web services also increased significantly and more than doubled (220 percent). This makes critical SAP applications more accessible to a wider audience of criminal threat actors.
Some companies are falling behind when it comes to ERP cyber security. There is often a lack of information about threat actors in this area, which many information security teams perceive as complex and opaque. That's why SAP and Onapsis have been proactively warning about the increased risk of malicious cyber activity and ransomware threats specifically targeting SAP applications for years. Companies must act and protect themselves. "Threat actors are constantly evolving their tactics and targets to maximize their profits. With the type of data that ERP applications contain, it is no surprise that we have uncovered clear evidence and trends of increasing momentum in online forums and channels. This should be a wake-up call for all of us, not just in the threat intelligence space, but in the cybersecurity space as a whole," said Christian Rencken, Senior Strategic Advisor at Flashpoint.
"The collaboration with Flashpoint provides a wealth of threat intelligence that is important for both security and SAP teams," said Juan Pablo Perez-Etchegoyen, CTO at Onapsis. "By showing how these applications are targeted and how frequently they are attacked, we hope to help CIOs, CISOs and their teams manage the risk of large-scale attacks."
