The Extent of Deployment
In recent years, cyberattacks against SAP systems have become more common, as 99 of the 100 largest companies in the world are SAP business applications customers with SAP customers generating 87% of total global commerce ($46 trillion), according to SAP.com. Attackers gain network access and then explore critical applications through port scanning and script-based exploration. The password lock attack and the password spray attack are two easy to identify attack examples that use the SAP RFC SDK open programming interface to secure direct access to SAP functions. In this article, I will outline how to detect these script-based attacks against SAP.
Example 1: Password Lock Attack
The password lock attack targetsย SAPย user accounts by creating multiple failed login attempts to lock them out of the system. This attack aims to disrupt business operations by preventing legitimate users from accessing the system. The attack uses theย SAPย RFC SDK, which allows the attacker to automate the login process and repeatedly enter incorrect passwords until the account is locked.
To detect a password lock attack, you should monitor the failed login attempts on yourย SAPย system.ย SAPย keeps track of the number of failed login attempts for each user, and if the number of failed attempts exceeds a certain threshold, the account is locked. You should set up alerts when a user account gets locked due to failed login attempts. You should also monitor the logs for any unusual login activity, such as many login attempts from a single IP address.
Example 2: Password Spray Attack
The password spray attack is anotherย script-basedย attack that targetsย SAPย user accounts. In this attack, the attacker tries to guess user passwords or weak initial passwords set by the admin. The attack uses theย SAPย RFC SDK, which allows the attacker to automate the login process and repeatedly try different passwords until achieving a successful login.
To detect a password spray attack, you should monitor the login activity on yourย SAPย system. Look for patterns of failed login attempts from a single IP address, which may indicate that an attacker is trying to guess passwords. You should also monitor the logs for any unusual login activity, such as multiple login attempts from a single IP address.
Are SAP Interfaces Especially Vulnerable?
Everyย SAPย Basis admin knows thatย SAPย S/4HANA andย SAPย NetWeaver provide the profile parameterย login/fails_to_user_lock,ย to allow setting the threshold after how many failed login attempts the account will be locked. This parameter is usually set to โ5โ, which is also the default configuration following the system installation. It happens to every user during their daily jobs that one key in the wrong password. Each time this appears, the system increases a failed login counter which is then reset at the next successful account login.
Interface users, however, are used to communicate betweenย SAPย systems and other applications. In addition to automated processes, such as sales orders or PO confirmations, these users are also used to send and receive data between systems. These users are particularly vulnerable toย script-basedย attacksย because their failed login attempt counter starts with every successful login.
If you want to detectย script-basedย attacksย againstย interface users, you should closely monitor the failed login attempts for these users in theย SAPย Security Audit Log. You should detect statistical anomalies and receive an alert that notifies you when there have been many failed login attempts for a specific technical user. You should also monitor the logs for any unusual login activity, such as many login attempts from a single IP address.
More sophisticated attack scenarios exist using scripts to enable the threat actor to attack a wide range of assets (i.e., SAP accounts). My team has detected script-based attacks against SAP systems in the wild, and it is essential to identify them early to prevent damage to your business operations. By monitoring failed login attempts and login activity on your SAP system, you can detect password lock, password spray attacks, and attacks against interface users. For this article, I have purposefully chosen two simple examples. Many more attack scenarios exist that are more complicated and dangerous, particularly when the SAP system has unpatched vulnerabilities. It is, therefore, crucial to keep your SAP system up to date with the latest security patches and to implement transparent security monitoring, building the foundation to detect and prevent cyberattacks.
From SecurityBridge