50,000 companies running SAP software face hacking: Onapsis

Security firm Onapsis said up to 50,000 companies running SAP software are facing the risk of being hacked.
The security researchers found ways to exploit vulnerabilities of systems and published the tools to do so online.

German software giant SAP said it issued guidance on how to correctly configure the security settings in 2009 and 2013. Onapsis said 90 percent of affected SAP systems have not been properly protected, Reuters reported.

“Basically, a company can be brought to a halt in a matter of seconds,” said Onapsis Chief Executive Mariano Nunez, whose company specializes in securing business applications such as those made by SAP and rival Oracle.

“With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there – so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.”

More than 90 percent of the world’s top 2,000 companies use SAP software to manage everything from employee payrolls to product distribution and industrial processes.

Security experts say attacks on systems could be damaging, both for the victim organizations and their wider supply chain. SAP customers collectively distribute 78 percent of the world’s food and 82 percent of global medical devices, the company says on its website.

Sogeti security consultant Mathieu Geli, one of the researchers who developed the exploits released online last month, said the issue concerned the way SAP applications to talk to one another inside a company.

If a company’s security settings are not configured correctly, he said, a hacker can trick an application into thinking they are another SAP product and gain full access without the need for any login credentials.

SAP said customer security was a priority and the vulnerabilities showed the need for clients to implement recommended fixes when they are released. “Security is a collaborative process, so our customers and partners need to safeguard their systems as well,” it said in a statement.

Researchers at Onapsis said they were naming the exploits 10KBLAZE because of the threat they posed to business-critical applications which, if hacked, could result in misstatements in U.S. financial filings.