50,000 companies exposed to hacks of 'business critical'
SAP systems: researchers
Send a link to a friend
[May 02, 2019]
By Jack Stubbs
LONDON (Reuters) - Up to 50,000 companies
running SAP software are at greater risk of being hacked after security
researchers found new ways to exploit vulnerabilities of systems that
haven't been properly protected and published the tools to do so online.
German software giant SAP said it issued guidance on how to correctly
configure the security settings in 2009 and 2013. But data compiled by
security firm Onapsis shows that 90 percent of affected SAP systems have
not been properly protected.
"Basically, a company can be brought to a halt in a matter of seconds,"
said Onapsis Chief Executive Mariano Nunez, whose company specializes in
securing business applications such as those made by SAP and rival
Oracle.
"With these exploits, a hacker could steal anything that sits on a
company's SAP systems and also modify any information there – so he can
perform financial fraud, withdraw money, or just plainly sabotage and
disrupt the systems."
SAP said: "SAP always strongly recommends to install security fixes as
they are released."
SAP software is used by more than 90 percent of the world's top 2,000
companies to manage everything from employee payrolls to product
distribution and industrial processes.
Security experts say attacks on those systems could be hugely damaging,
both for the victim organizations and their wider supply chain. SAP
customers collectively distribute 78 percent of the world's food and 82
percent of global medical devices, the company says on its website.
Sogeti security consultant Mathieu Geli, one of the researchers who
developed the exploits released online last month, said the issue
concerned the way SAP applications to talk to one another inside a
company.
If a company's security settings are not configured correctly, he said,
a hacker can trick an application into thinking they are another SAP
product and gain full access without the need for any login credentials.
[to top of second column] |
eople pose in front of a display showing the word 'cyber' in binary
code, in this picture illustration taken in Zenica December 27,
2014. REUTERS/Dado Ruvic
SAP said customer security was a priority and the vulnerabilities showed
the need for clients to implement recommended fixes when they are
released. "Security is a collaborative process, so our customers and
partners need to safeguard their systems as well," it said in a
statement.
CRITICAL SYSTEMS
Researchers at Onapsis said on Thursday they were naming the exploits
"10KBLAZE" because of the threat they posed to "business-critical
applications" which, if hacked, could result in "material misstatements"
in U.S. financial filings.
Nunez said he would share his company's ability to detect the
vulnerabilities with other security vendors to help secure all SAP users
against possible future attacks. Full details here https://www.onapsis.com/10kblaze
Sogeti's Geli said he created the exploits to prove the danger of the
vulnerabilities and released them online in order to help experts test
the security of SAP systems.
He said there was a risk they could be used by malicious actors but not
people without technical ability, and it was more important for
companies to update their security settings.
"We are just pointing out something that is already fixed for SAP but
clients maybe are a bit late on," he said. "We are trying to push that
and say: 'Guys, this is critical, you need to fix it.'"
(The story refiles to fix weblink in paragraph 12)
(Reporting by Jack Stubbs; editing by Georgina Prodhan)
[© 2019 Thomson Reuters. All rights
reserved.] Copyright 2019 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |