Cyber Crime
Cybercriminals Set Their Sights on SAP: The New Goldmine for Hackers
A four-year analysis of threat intelligence data, presented by Yvan Genuer, a senior security researcher at Onapsis, during Black Hat, has revealed a significant rise in cybercriminal activity targeting enterprise resource planning (ERP) systems, particularly those from SAP. This surge began in 2020 and persisted through the end of 2023.
SAP software is a cornerstone for the world’s largest organizations, with 87% of Forbes Global 2000 companies relying on it to manage operations and process 77% of global transaction revenue. However, its critical role has made it a prime target for cybercriminals and espionage groups.
A Diverse Array of Threat Actors
The report, developed in collaboration with threat intelligence firm Flashpoint, highlighted a variety of attackers targeting SAP systems. These include cybercrime groups like FIN13 (“Elephant Beetle”), FIN7, and Cobalt Spider, as well as state-sponsored entities such as China’s APT10. Even less sophisticated attackers, such as script kiddies, have joined the fray. The motivation ranges from stealing sensitive data to exploiting the vast transaction volumes managed by SAP systems for financial gain.
High Demand for SAP Exploits
The vulnerabilities CVE-2020-6287 (RECON) and CVE-2020-6207 (SAP Solution Manager missing authentication) sparked widespread discussions in cybercriminal forums about exploiting SAP systems. For instance, in 2020, an exploit targeting SAP Secure Storage was advertised for $25,000, while buyers were willing to pay up to $250,000 for advanced exploits like remote code execution or authentication bypasses for SAP NetWeaver.
Onapsis also reported a 220% increase in discussions about SAP-specific cloud and web services on criminal forums between 2021 and 2023. These forums serve as hubs for exchanging techniques, monetization strategies, and attack methodologies.
Ransomware Campaigns Targeting SAP Systems
Ransomware incidents involving SAP systems have surged fivefold since 2021, with attackers leveraging unpatched vulnerabilities. While older exploits lose effectiveness over time, the demand for new, undisclosed vulnerabilities (zero-days) remains high due to their potential profitability.
Persistent Threats from Unpatched Systems
A significant portion of attacks exploit known but unresolved vulnerabilities. Publicly disclosed flaws, such as CVE-2021-38163 and CVE-2022-22536, continue to be exploited in ransomware campaigns. The complexity of SAP systems and their integration into enterprise processes make them particularly challenging to secure, according to Onapsis.
Yvan Genuer emphasized the growing risk, stating, “SAP is no longer a black box—these applications are now targeted.” Both internet-exposed and internal systems are at risk, underscoring the need for robust security measures.
Expert Warnings and Recommendations
Independent experts echoed Onapsis’ findings. Chris Morgan, a senior cyber threat intelligence analyst at ReliaQuest, highlighted the critical role SAP systems play in managing sensitive data, including financial transactions and intellectual property. The development of sophisticated exploits, such as those targeting SAP Secure Storage, demonstrates a high level of technical expertise, justifying their steep prices.
ReliaQuest uncovered an exploit advertised in 2020 for $25,000, which claimed to enable lateral movement within SAP environments by uncovering credentials, elevating privileges, and compromising additional systems.
ALSO READ : Call for Papers on AI/ML in Predictive Policing and Digital Forensics for FutureCrime Summit 2025
Mitigation Strategies
Onapsis advises enterprises to adopt proactive security measures, including regular patch management, vulnerability assessments, and advanced threat intelligence practices, to mitigate the risks posed by these evolving threats. As SAP systems remain integral to global business operations, prioritizing their security has become more critical than ever.
