Can an SAP system be affected by ransomware?

Ransomware dominated cyberthreat landscape in 2016 and is still one of the biggest threat hitting both individuals and enterprises. As for the latter, cybersecurity experts notice a huge transition in the focus of such attacks. Cybercriminals are primarily targeting organizations, making ransomware a billion-dollar business. Ransom attacks are constantly diversifying and growing in sophistication, new forms of malware appear almost every week and no system or application seems to be protected against this threat. It’s safe to say that it is going to get worse and no system is immune. ERPScan researchers identified a vulnerability in the SAP GUI client for Windows, which potentially opens the door to ransom attacks against millions of SAP users.

How exactly vulnerability is exploited?

In March, SAP released its scheduled set of SAP Security Notes. It includes a fix for a Remote Command Execution vulnerability in SAP GUI, identified by ERPScan’s researchers. The security issue was rated at 8.0 by CVSS Base Score v. 3, CVE-2017-6950. As the name implies, in case of successful attack, an attacker can perform a command remotely, which essentially enables an unfettered control over endpoint devices where the SAP GUI application is installed. To leverage the vulnerability, an attacker has to compromise the SAP Server. There are several security issues that allow doing so, moreover, a number of them is still in the patching process.

How can attacker conduct a ransom attack against a SAP System?

The latest MongoDB and Elasticsearch incidents demonstrated that ransomware attacks are lucrative, so hackers are looking for new ransomware mechanisms. Researchers who identified the vulnerability claim that this bug can be used to infect all endpoints within a victim company.
“The attack vector is rather trivial. By exploiting this vulnerability, an attacker can force all the SAP GUI clients within a company to automatically download a malware that locks workstations and demand money in exchange to regain control of their systems. Of note, each client has its own unique payment address, which worsens the situation.” Vahagn Vardanyan, one of the researchers who discovered this bug

How do I protect my SAP System?

Updates and Patches are the backbone of ransomware protection. It is recommended that SAP Customers install SAP Security Note 2407616.

What is SAP GUI?

SAP GUI (graphical user interface) is a platform providing a remote access to the SAP central server in a company network. It allows an SAP user to access functionality in SAP applications such as SAP ERP, SAP Business Suite (SAP CRM, SAP SCM, SAP PLM, and others), and SAP Business Intelligence. SAP GUI is installed on every SAP user workstation, thus the number of potential victims may be millions.