Rewterz Threat Alert – Recent OilRig Activity – IoCs
May 2, 2019Rewterz Threat Alert – MegaCortex Ransomware Targeting Business Networks
May 7, 2019Rewterz Threat Alert – Recent OilRig Activity – IoCs
May 2, 2019Rewterz Threat Alert – MegaCortex Ransomware Targeting Business Networks
May 7, 2019Severity
High
Analysis summary
SAP Gateway ACL
The SAP Gateway allows non-SAP applications to communicate with SAP applications using the Open Data Protocol (OData). If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.
AP Router secinfo
The SAP router is a program that helps connect SAP systems with external networks. The default secinfo configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access an SAP router, the router can act as an internal host and proxy the attacker’s requests, which may result in remote code execution.
SAP Message Server
SAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them).
Impact
System Compromise
Remediation
- Ensure a secure configuration of their SAP landscape
- Restrict access to SAP Message Server
- Scan for exposed SAP components.
- Ensure that SAP components are not exposed to the internet.
- Remove or secure any exposed SAP components.