Detecting Script-Based Attacks Against SAP
Posted: Tuesday, Mar 05

i 3 Table of Contents

Detecting Script-Based Attacks Against SAP

The Extent of Deployment

In recent years, cyberattacks against SAP systems have become more common, as 99 of the 100 largest companies in the world are SAP business applications customers with SAP customers generating 87% of total global commerce ($46 trillion), according to Attackers gain network access and then explore critical applications through port scanning and script-based exploration. The password lock attack and the password spray attack are two easy to identify attack examples that use the SAP RFC SDK open programming interface to secure direct access to SAP functions. In this article, I will outline how to detect these script-based attacks against SAP.

Example 1: Password Lock Attack

The password lock attack targets SAP user accounts by creating multiple failed login attempts to lock them out of the system. This attack aims to disrupt business operations by preventing legitimate users from accessing the system. The attack uses the SAP RFC SDK, which allows the attacker to automate the login process and repeatedly enter incorrect passwords until the account is locked.

To detect a password lock attack, you should monitor the failed login attempts on your SAP system. SAP keeps track of the number of failed login attempts for each user, and if the number of failed attempts exceeds a certain threshold, the account is locked. You should set up alerts when a user account gets locked due to failed login attempts. You should also monitor the logs for any unusual login activity, such as many login attempts from a single IP address.

Example 2: Password Spray Attack

The password spray attack is another script-based attack that targets SAP user accounts. In this attack, the attacker tries to guess user passwords or weak initial passwords set by the admin. The attack uses the SAP RFC SDK, which allows the attacker to automate the login process and repeatedly try different passwords until achieving a successful login.

To detect a password spray attack, you should monitor the login activity on your SAP system. Look for patterns of failed login attempts from a single IP address, which may indicate that an attacker is trying to guess passwords. You should also monitor the logs for any unusual login activity, such as multiple login attempts from a single IP address.

Are SAP Interfaces Especially Vulnerable?

Every SAP Basis admin knows that SAP S/4HANA and SAP NetWeaver provide the profile parameter login/fails_to_user_lock, to allow setting the threshold after how many failed login attempts the account will be locked. This parameter is usually set to “5”, which is also the default configuration following the system installation. It happens to every user during their daily jobs that one key in the wrong password. Each time this appears, the system increases a failed login counter which is then reset at the next successful account login.

Interface users, however, are used to communicate between SAP systems and other applications. In addition to automated processes, such as sales orders or PO confirmations, these users are also used to send and receive data between systems. These users are particularly vulnerable to script-based attacks because their failed login attempt counter starts with every successful login.

If you want to detect script-based attacks against interface users, you should closely monitor the failed login attempts for these users in the SAP Security Audit Log. You should detect statistical anomalies and receive an alert that notifies you when there have been many failed login attempts for a specific technical user. You should also monitor the logs for any unusual login activity, such as many login attempts from a single IP address.

More sophisticated attack scenarios exist using scripts to enable the threat actor to attack a wide range of assets (i.e., SAP accounts). My team has detected script-based attacks against SAP systems in the wild, and it is essential to identify them early to prevent damage to your business operations. By monitoring failed login attempts and login activity on your SAP system, you can detect password lock, password spray attacks, and attacks against interface users. For this article, I have purposefully chosen two simple examples. Many more attack scenarios exist that are more complicated and dangerous, particularly when the SAP system has unpatched vulnerabilities. It is, therefore, crucial to keep your SAP system up to date with the latest security patches and to implement transparent security monitoring, building the foundation to detect and prevent cyberattacks.

From SecurityBridge

Christoph Nagy
Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member, and CEO at SecurityBridge–a global SAP security provider, serving many of the world's leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.
Share This