50,000 companies exposed to hacks of ‘business critical’ SAP systems: researchers

FILE PHOTO: People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic

By Jack Stubbs

LONDON (Reuters) – Up to 50,000 companies running SAP software are at greater risk of being hacked after security researchers found new ways to exploit vulnerabilities of systems that haven’t been properly protected and published the tools to do so online.

German software giant SAP said it issued guidance on how to correctly configure the security settings in 2009 and 2013. But data compiled by security firm Onapsis shows that 90 percent of affected SAP systems have not been properly protected.

“Basically, a company can be brought to a halt in a matter of seconds,” said Onapsis Chief Executive Mariano Nunez, whose company specializes in securing business applications such as those made by SAP and rival Oracle.

“With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.”

SAP said: “SAP always strongly recommends to install security fixes as they are released.”

SAP software is used by more than 90 percent of the world’s top 2,000 companies to manage everything from employee payrolls to product distribution and industrial processes.

Security experts say attacks on those systems could be hugely damaging, both for the victim organizations and their wider supply chain. SAP customers collectively distribute 78 percent of the world’s food and 82 percent of global medical devices, the company says on its website.

Sogeti security consultant Mathieu Geli, one of the researchers who developed the exploits released online last month, said the issue concerned the way SAP applications to talk to one another inside a company.

If a company’s security settings are not configured correctly, he said, a hacker can trick an application into thinking they are another SAP product and gain full access without the need for any login credentials.

SAP said customer security was a priority and the vulnerabilities showed the need for clients to implement recommended fixes when they are released. “Security is a collaborative process, so our customers and partners need to safeguard their systems as well,” it said in a statement.

CRITICAL SYSTEMS

Researchers at Onapsis said on Thursday they were naming the exploits “10KBLAZE” because of the threat they posed to “business-critical applications” which, if hacked, could result in “material misstatements” in U.S. financial filings.

Nunez said he would share his company’s ability to detect the vulnerabilities with other security vendors to help secure all SAP users against possible future attacks. Full details here.

Sogeti’s Geli said he created the exploits to prove the danger of the vulnerabilities and released them online in order to help experts test the security of SAP systems.

He said there was a risk they could be used by malicious actors but not people without technical ability, and it was more important for companies to update their security settings.

“We are just pointing out something that is already fixed for SAP but clients maybe are a bit late on,” he said. “We are trying to push that and say: ‘Guys, this is critical, you need to fix it.'”

 

(Reporting by Jack Stubbs; editing by Georgina Prodhan)

Tech firms, including Microsoft, Facebook, vow not to aid government cyber attacks

Silhouettes of mobile users are seen next to a screen projection of Microsoft logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration

By Dustin Volz

SAN FRANCISCO (Reuters) – Microsoft, Facebook and more than 30 other global technology companies on Tuesday announced a joint pledge not to assist any government in offensive cyber attacks.

The Cybersecurity Tech Accord, which vows to protect all customers from attacks regardless of geopolitical or criminal motive, follows a year that witnessed an unprecedented level of destructive cyber attacks, including the global WannaCry worm and the devastating NotPetya attack.

“The devastating attacks from the past year demonstrate that cyber security is not just about what any single company can do but also about what we can all do together,” Microsoft President Brad Smith said in a statement. “This tech sector accord will help us take a principled path toward more effective steps to work together and defend customers around the world.”

Smith, who helped lead efforts to organize the accord, was expected to discuss the alliance in a speech on Tuesday at the RSA cyber security conference in San Francisco.

The accord also promised to establish new formal and informal partnerships within the industry and with security researchers to share threats and coordinate vulnerability disclosures.

The pledge builds on an idea for a so-called Digital Geneva Convention Smith rolled out at least year’s RSA conference, a proposal to create an international body to protect civilians from state-sponsored hacking.

Countries, Smith said then, should develop global rules for cyber attacks similar to those established for armed conflict at the 1949 Geneva Convention that followed World War Two.

In addition to Microsoft and Facebook, 32 other companies signed the pledge, including Cisco, Juniper Networks, Oracle, Nokia, SAP, Dell and cyber security firms Symantec, FireEye and Trend Micro.

The list of companies does not include any from Russia, China, Iran or North Korea, widely viewed as the most active in launching destructive cyber attacks against their foes.

Major U.S. technology companies Amazon, Apple, Alphabet and Twitter also did not sign the pledge.

(Reporting by Dustin Volz; Editing by Dan Grebler)