The AI landscape is experiencing a remarkable surge in investments, especially following ChatGPT's one-year milestone, showcasing the transformative potential of these models.
However, this rapid progress has also highlighted a significant gap in cybersecurity readiness among organizations. According to McKinsey, while 40% of companies plan to increase their AI investments, only 38% are actively working to mitigate the associated cybersecurity risks. This discrepancy underscores the critical need for a balanced approach that leverages AI's benefits while ensuring robust cybersecurity measures.
In this episode of the Tech Talks Daily Podcast, we speak with JP Perez-Etchegoyen, CTO of Onapsis to delve into the critical aspects of AI and cybersecurity strategy from a CEO's perspective. Mariano brings a wealth of experience to the discussion, providing valuable insights into the leadership imperative in steering organizations toward responsible AI adoption.
JP emphasizes the pivotal role of CEOs in guiding their companies through the complex landscape of AI adoption. He discusses the importance of developing a nuanced strategy that harnesses the potential of generative AI while maintaining a strong focus on cybersecurity. This approach ensures that innovation and security go hand in hand, safeguarding the organization against emerging threats.
We explore the specific challenges that come with integrating AI into business operations, particularly the need to address vulnerabilities and mitigate risks. JP shares strategies that enable organizations to make the most of AI technologies without compromising their security posture. He highlights the importance of proactive measures, continuous monitoring, and the integration of AI with existing security frameworks to create a resilient and secure environment.
[00:00:01] How secure are your SAP systems against those determined efforts of cybercriminals? Well in today's episode of Tech Talks Daily I'm joined by my good friend JP. Yeah, regular listeners will know he is the CTO of Onapsis.
[00:00:19] And today we're going to uncover the vulnerabilities that are turning SAP systems into prime targets for lucrative cyber exploits. And I want to dive into the complex world of SAP security and explore everything from the methods that attackers use to breach those systems
[00:00:37] to the underground market for SAP exploits. And ask you, how prepared is your business to defend against these sophisticated threats? Now obviously hosting a Daily Tech Podcast comes with its challenges and so I'm incredibly grateful to our sponsor for their essential support.
[00:00:56] But defence contractors face immense pressure to comply with CMMC 2.0 security standards. Now finding a secure, easy to use file sharing solution that meets those CMMC 2.0 guidelines is quite a challenge.
[00:01:11] And the federal government and federal system integrators supporting the Departments of Defence have similar compliance requirements for improving cyber security and data protection. So why not get on the faster path to CMMC 2.0 compliance with a company called Kiteworks.
[00:01:26] Where you can leverage the same zero trust framework used for federal requirements and a platform that offers secure file sharing tailored for the defence industry's unique needs. With granular access controls, encryption and DLP integration, Kiteworks exceeds legacy tools in security capabilities.
[00:01:46] Kiteworks is a FedRAMP moderate authorized to give you that peace of mind. So why not accelerate your CMMC 2.0 compliance and address federal zero trust requirements with Kiteworks' universal secure file sharing platform that is made for defence contractors. Simply visit kiteworks.com to get started.
[00:02:06] Well buckle up and hold on tight as I beam your ears all the way to Brazil to complete his hat trick of appearances. So a massive warm welcome back to the show JP. It's been a while since we last spoke.
[00:02:20] So can you remind the listeners with a little about who you are and what you do? Absolutely. Glad to be back. Happy to be here. I'm JP. My name is actually longer, but JP goes perfectly fine.
[00:02:36] I'm CTO and one of the founders of Onapsis. So we focus on cybersecurity for ERP applications with a strong focus on SAP. We work very closely with some of the largest organizations, some of the largest SAP customers in the world.
[00:02:52] We do a lot of research and threat intelligence focused on SAP applications. And that's one of the reasons I reached out to you and invited you back on the podcast. There's so much happening around SAP at the moment.
[00:03:07] And just to set the scene for our conversation, could you tell me a little about why SAP systems have become such a lucrative target for cyber criminals? What is it that's making them so particularly attractive right now?
[00:03:21] Absolutely. And it has to do with many different factors, but it all starts with the technology. SAP applications are built on top of complex and until recently somehow unknown technology. So threat actors, attackers were not exposed to the concepts around SAP technology, the different protocols and the vulnerabilities.
[00:03:46] But this knowledge is being widespread, known, discussed over the open, deep and dark web. So this makes it much simpler for attackers to be able to target these applications. And they do and they profit by targeting these applications in many different ways.
[00:04:08] One of them being ransomware, which grew from 2021 to 2023, 400% in terms of the incidents affecting these applications. But it also grows by fraud, right? Threat actors know that these applications are integrated into financial processes, into payment processes, into the core of the business.
[00:04:35] So they understand that there are many different ways to perform fraud in these ways. And we can speak for hours on topics around fraud, but it's all because these processes run on top of SAP applications.
[00:04:51] And also because of the value of this, the information stored on these applications by accessing SAP applications, by reaching into these applications, threat actors can have access to huge volumes of very sensitive and critical information.
[00:05:09] And they can profit out of it, selling it and also becoming part of ransomware projects. So many different ways in which threat actors can profit out of it. They know it and they know about SAP technology and SAP vulnerabilities, has been also spearheading these type of efforts.
[00:05:36] And I'm curious, what are the most common methods that attackers are using to exploit those known SAP vulnerabilities, particularly remote code execution or RCE? Are there any recent examples you can share?
[00:05:50] Yeah, absolutely. There are many different vulnerabilities like ICMAT or RICON that basically allow for remote command execution on these applications. But those are just two examples of many different vulnerabilities. Just to give you an example, today is Patch Tuesday for many different vendors, for SAP as well.
[00:06:18] Today, the Enapsis Research Labs was awarded for reporting 55% of the vulnerabilities that were patched on the Patch Tuesday, July Patch Tuesday. So that gives you a little bit of a perspective in terms of, hey, every month vulnerabilities are coming up, discovered by external researchers, by SAP itself.
[00:06:45] And organizations have to address these. Some of these are remote command execution vulnerabilities. And some of these become known to threat actors because as soon as these patches come out, they reverse engineer them and exploits start popping up on the OpenDependark web, on GitHub, on different repositories.
[00:07:08] And soon after that, we start seeing active exploitation. So many different ways that threat actors can use to actively target these applications. Eventually, they compromise these applications. But also it's not just about the CVEs or the remote command executions. I mentioned there is complexity on this technology, right?
[00:07:32] There are many building blocks that are all integrated together and communicating together to basically be able to operate an SAP application. Well, there are hundreds, if not thousands of configurations that affect all of these services. And many of these have security implications.
[00:07:55] So also as part of this threat, this fact that threat actors start to know more and more of SAP technology, they understand also configurations and the weaknesses and how to exploit them.
[00:08:09] So it's not just waiting for the vulnerabilities to pop up and the experts to pop up, but also really actively abusing of configurations that are not properly set on customers' implementations. And how do you think this shift towards cloud-based SAP deployments, has that influenced the strategies of attackers?
[00:08:31] And are there any specific vulnerabilities that are unique to cloud environments? Anything you're seeing here?
[00:08:37] Yeah, that's a great question. Because there is no question about this transition to the cloud, this big push to the cloud, SAP's all into providing all the mechanisms for customers to move to the cloud. And this move to the cloud has many different alternatives, right?
[00:08:59] We can talk about pure cloud software as a service on one end, and on the other end, we can talk about private clouds, infrastructure as a service where the technology is the same that these organizations used to run on premise, but now it's running on a cloud provider managed by themselves, by a third party, or even by SAP itself, depending on the flavor of support.
[00:09:28] But yeah, analyzing this move to the cloud, we see also that threat actors are more actively looking for these services, cloud services, web services that are potentially internet facing.
[00:09:43] And we see that on also on these recently released threat intelligence that we did with Flashpoint, we exposed that, hey, there's been a over 200% increase on these conversations, these mentions to specific cloud and web services from SAP.
[00:10:04] Sorry. And this is also due to the fact that organizations are migrating to infrastructure as a service models, and they are also opening up more SAP services to the world. And that's one way threat actors have to compromise this. The other mechanism they use is, and that's been very recently mentioned all over the news is Info Stealers.
[00:10:33] These type of threats are basically capturing credentials from everything on thousands or even millions of endpoints all over the world. And that's being harvested and shared by different mechanisms.
[00:10:52] Eventually, if you get a hold of the output of Info Stealers, you will see that there are also thousands and thousands of credentials affecting SAP applications, cloud and on prem applications. So that's another mechanism threat actors use to target this.
[00:11:10] And it's important to understand that the cloud is a great mechanism to embrace innovation, to accelerate transformation, to really be able to provide more services, be more agile. But it's important to understand the responsibilities, it's a shared responsibility model, right?
[00:11:33] So the cloud is not going to do everything by us. We are still responsible for the data and the applications, so we need to make sure we understand those boundaries.
[00:11:44] And of course, the underground economy that surrounds SAP exploit seems to be growing at the same time too. Are you able to shed some light on how this market operates and also the rising prices for vulnerabilities like RCU?
[00:11:59] Yeah, absolutely. That was another shocking data point that we got from the research is back in 2020, the price for an SAP NetWeaver RCE was offered at 50k while at the beginning of 2024, the price went up all the way up to 250,000.
[00:12:27] So we see those prices increasing, basically because the value of compromising this type of technology also increases, right? So there is threat actors are putting more value on to being able to compromise these applications because also these applications are not run by mom and pop shops, right?
[00:12:46] So the ability to break into an SAP application means the ability to break into a large enterprise, a critical sector organization, and we're talking about oil and gas, energy, pharma, even defense and government also.
[00:13:05] A lot of these organizations basically run on top of SAP applications. So that's why the price increases. And also, we have seen a lot of conversations in the OpenDependent web of threat actors talking about specific SAP exploits, offering exploits for different reasons with different capabilities.
[00:13:32] So this increase in the price is not only because there's people willing to pay more for this, but also because there is more activity and more interest driven through conversations on the OpenDependent web.
[00:13:49] And just to bring to life some of what we're talking about here, do you have a real world use case or study of a successful SAP attack and the kind of impact that it had on a targeted business and also lessons that can be learned from incidents like this?
[00:14:04] Yeah, absolutely. We have many. We call them horror stories because in the end, those are stories of how things go bad. I can mention a couple. I'll be brief. One of them that is recent is Elephant Beetle. It's a threat actor also called Elephant Beetle by the researchers that published the original research.
[00:14:34] It's a company from Sydney, from Israel, a research company. But also it's called FIM13 by other threat intel providers. This actor was actively targeting organizations by exploiting well-known vulnerabilities, including SAP well-known vulnerabilities.
[00:14:53] Basically compromising the organization and staying still stealth and maintaining a low profile for, in some cases, years and performing fraud in the form of very small tickets, eventually with a low frequency but amounting to millions over the years.
[00:15:20] This has been the operations of FIM13. That's a known threat actor, as I mentioned. But there are other threat actors that actively target these applications like APT10, FIM7, Goal Strike and many other gangs that are known to actively target and exploit these applications.
[00:15:41] Other stories lie around custom code. For example, an organization that after assessing their code discovered that they had a report that was before the quarter close. It was sending the financial results to a Gmail account.
[00:16:00] When they discovered that and tracked that Gmail account, they realized it was an employee that no longer worked there but ensured that he was able to get an early look at the results of the company before they were published on the quarter end.
[00:16:18] That's another example on custom code. We have many. We could spend hours also talking about horror stories on SAP applications because they happen but you don't often hear about them because they don't often make the news. But threat actors know about it, they know how to target them and they are actively doing it.
[00:16:42] I suppose the question for every business leader will be asking right now is how can their business be more proactive in protecting their SAP systems from these sophisticated attacks? Any best practices that you'd recommend for securing both on-premise and cloud-based SAP deployments?
[00:17:02] Yeah, whenever I get a similar question, the answer is the same. And I've been learning to really make it more over the years, make it more compelling because we can get really technical talking about very specific recommendations on the different services, on the different areas of risk for SAP on the technology.
[00:17:30] But in the end, it all points down to being purposeful. So it has to come top-down as a directive of we want to secure our crown jewels. And once that happens, it's all about integrating SAP technology into the existing vulnerability management processes.
[00:17:54] So you understand what are the risks affecting your SAP and what are the vulnerabilities that you need to close. Also integrating SAP applications into your continuous monitoring or threat detection efforts, right? Integrating to the SIEM, your SOC, also making sure that whatever you build on top of SAP, customizations, and so on, you're not going to lose any of that.
[00:18:24] And this happens all the time for all organizations that need to adjust SAP standard to their processes. Well, when you do that, make sure that you're not introducing additional vulnerabilities. So the secure development lifecycle that you already have and is working very well on all your applications, okay, make sure SAP is incorporating to those initiatives.
[00:18:51] And also making sure that whenever you work with internal audit, work with your external auditors and introduce a lot of controls for security and compliance on SAP, that those controls can be automated, and that there is transparency on how that happens.
[00:19:13] And so all of that helps elevating the security levels of SAP applications and making sure that you, it all starts with making sure that your report was well-audited.
[00:19:28] And with your expertise in vulnerabilities research and computer forensics, I'm curious, are there any emerging threats that you foresee in this SAP security landscape over the months and years ahead? Anything that keeps you awake at night or anything you're seeing now?
[00:19:46] Well, the results of the threat intelligence report that we released, that's one of the things that definitely keeps me awake. And the part of this that keeps me awake at night is really, we have released this April 2024 because of the analysis that we did over the period of 2020 to 2023, end of 2020.
[00:20:16] But we also were able to see what Q1 or even a little bit beyond 2024 was in terms of the numbers, the trends. And what we saw was really, hey, this is not going down anytime soon.
[00:20:32] This is something that is increasing. And we see more activity, we see more mentions, we see threat actors talking, offering, discussing about vulnerabilities and exploits around SAP. So that's really 2024 is not trending any better than the previous year.
[00:20:56] So hopefully organizations understand that it's important to address this before bad things happen. And also, there are other threats that we are closely monitoring beyond exploitation of vulnerabilities.
[00:21:13] As I mentioned, info stealers is a big thing also affecting SAP applications as well. But there are many areas of risk and threats that are specifically targeting SAP applications, and it's important for organizations to really do something about it.
[00:21:34] And finally, for business leaders listening, maybe they're just starting to realize the importance of securing their SAP system. Maybe we delivered a few light bulb moments in our conversation today. Any advice on the kind of initial steps that they should be taking to build that more robust security posture so they can be more proactive than reactive?
[00:21:56] Yeah, understanding the landscape is, I would say the very first step, right? Understanding where they are at in terms of what is the how does their SAP landscape look like, right? Most likely today is completely different from what it was 10 years ago. Because now we have software as a service components, we have platform as a service with BTP and
[00:22:25] SAP RISE that all organizations are going after. We have private clouds, all of these integrated with our still operational on premise systems, all of these interconnected exchanging data. So do we know what are the security mechanisms that are in place for that? Well, most likely, the answer is no, if you're not being
[00:22:54] purposeful already. So the very first step is understanding the landscape, understanding what are the building blocks of your SAP landscape? How do they communicate? And what are the vulnerabilities potentially affecting this right? An assessment is a very first step that could help understanding if you're sitting on a ton of risk, or if this is something that you can do stage by stage or how to really address this.
[00:23:24] Well, thank you for joining me on the podcast again today. We've talked so much about where we are now where we're heading. But I'd love to find out a little bit more information about you and ask you to look back on your career because none of us are able to achieve any success without a little help along the way. So is there a particular person that you're grateful towards maybe helped you get you where you are that we can give a little shout out to today? Who would that be?
[00:23:47] I'm always really fascinated by the evolution and the leadership and mentorship that one of my partners has been giving me over the years. He's currently on AppSys CEO, but we both started doing pen test more than 15 years ago, right? Almost 20 years ago, going doing vulnerability research,
[00:24:17] like rolling up our sleeves and analyzing bits and bytes. And with him, and Victor also the other partner, but really, Marina has been able to move from looking at the technology and looking at bits and bytes with a very, very sharp eye and really deep understanding all the way to understanding business and customers and
[00:24:46] organizations and the real needs behind our customers and what organizations really need. So being able to understand how to move from that view of the technology and the vulnerabilities all the way to really understanding what customers and organizations really need and helping them along the way is a huge leap.
[00:25:10] So my shout out is often given in that direction because he helped me also elevate my perspective on technology and grow that way. Find out more information about you and AppSys to start a conversation. Where would you like to point everyone listening?
[00:26:10] Of course, we are on Twitter, LinkedIn, many other networks, but the AppSys webpage I would say is probably the best place to start with.
[00:26:40] Thank you for coming on today, talking about exploiting SAP for profit. How hackers are targeting businesses and pulling the curtain back on how cyber criminals target SAP systems for profit. So thank you for shining a light on this today.
[00:26:54] Thank you, Neil. I'm looking forward to tapping again, hopefully not in two years.
[00:26:59] Always a pleasure to have JP on the podcast and talking about the vulnerabilities of SAP systems, but most importantly, the strategies that cyber criminals use to exploit them. And I think it's evident that the stakes are incredibly high. So we discussed today not just the methods of attack, though, but also the critical steps that companies can take to fortify their defenses.
[00:27:23] And what measure is your organization taking to protect your SAP systems? This is where I put the microphone in front of you. Are there any strategies that you're considering to enhance your cyber security framework? Is there something that you're doing that you'd like to share with the community?
[00:27:39] Please share your thoughts. Join the conversation by emailing me techblogwriteroutlook.com or Twitter, LinkedIn, Instagram at neilchughes. But that is it for today. I'm going to return again tomorrow with a completely different topic. Hopefully you'll join me again tomorrow. You are invited. But thank you for listening today and until next time, don't be a stranger.