A timely warning to keep systems patched has appeared, via a jointly-released report from Onapsis and SAP. The report details how threat actors are “[targeting and potentially exploiting unprotected mission-critical SAP applications](<https://news.sap.com/2021/04/sap-onapsis-application-cyber-threat/>)”. Some of the vulnerabilities used were weaponised fewer than 72 hours after patches are released. In some cases, a newly deployed SAP instance could be compromised in [just under a week](<https://www.theregister.com/2021/04/06/sap_patch_attacks/>) if people aren’t patching. ### Old threats cause new problems The vulnerabilities being exploited were [patched months or even years ago](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>). Sadly, when organisations don’t patch and update, compromise is only a step away. This isn’t a new phenomenon, by any means. It doesn’t matter if we’re talking software or hardware fixes, or replacing an insecure Windows XP box on the network, or running updates you’ve been putting off for that old mobile phone in your drawer. Erratic update routines, or worse still, abandoning them altogether can lead to serious consequences. In its [own press release on the subject](<https://news.sap.com/2021/04/sap-onapsis-application-cyber-threat/>), SAP warns that a failure to patch could give cybercriminals "full control of the unsecured SAP applications", while pointing out that its cloud-based solutions are not at risk: > The scope of impact from these specific vulnerabilities is localized to customer deployments of SAP products within their own data centers, managed colocation environments or customer-maintained cloud infrastructures. None of the vulnerabilities are present in cloud solutions maintained by SAP. The US Department of Homeland Security’s CISA lists some of the serious end-results of failing to make use of the available SAP patches, in an [announcement](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) that followed the release of the report: * Financial fraud * Disruption to business * Sensitive data theft * Ransomware * Halt of operations ### Patch early, patch often From the above list, ransomware alone could lead to any of those security issues. The data in the threat intelligence report is incredibly useful for anybody who thinks they could be affected. Thanks to SAP and Onapsis, we know how brief the window can be for those tasked with defending systems to do something about it. It also highlights how both security and compliance are at risk, along with some of the techniques attackers will try to use out in the wild. Regular readers will know we’re [big on patching and updating](<https://blog.malwarebytes.com/?s=patch>). Some of the most undesirable threats around [thrive on a lack of regular updates](<https://www.pandasecurity.com/en/mediacenter/security/consequences-not-applying-patches/>). Manual, as opposed automatic updates, can also bring [headaches for organisations](<https://www.computerweekly.com/news/252438578/Security-professionals-admit-patching-is-getting-harder>) struggling to [get up to speed](<https://blog.trendmicro.com/just-patch-isnt-easy-think/>) with best practices. It’s certainly not easy, with some organisations simply [choosing to never patch at all](<https://deltarisk.com/blog/we-dont-need-no-stinking-patches-why-organizations-dont-patch/>). ### A lack of patching may lead to disaster That risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A [study of 340 security professionals in 2019](<https://www.forbes.com/sites/taylorarmerding/2019/06/06/report-if-you-dont-patch-you-will-pay>) found 27% of organisations worldwide, and 34% in Europe, said they’d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with. If your organisation is a touch lax on patching, or making it up as you go along – fear not! There’s still time to get a grip on this difficult subject. Whether you use any of the systems mentioned in the threat report up above or not, timely patching is the way to go. The threats to your business may not come knocking at the door today, or even tomorrow, but that won’t be the case forever. The post [SAP warns of malicious activity targeting unpatched systems](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/sap-warns-of-malicious-activity-targeting-unpatched-systems/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).