Experts warn of massive internet scans for SAP systems affected by RECON Vulnerability

Hackers have been scanning the Internet for SAP systems affected by RECON vulnerability, researchers from Bad Packets warn.

Researchers from Bad Packets reported that threat actors have been scanning the Internet for SAP systems affected by RECON vulnerability, , tracked as  CVE-2020-6287.

Immediately after a researcher released a proof-of-concept (PoC) exploit for the RECON vulnerability, hackers started the scanning activity.

Quick and dirty (sorry i did it during lunch time) PoC for SAP RECON vulnerability (CVE-2020-6287, CVE-2020-6286).https://t.co/i2pImKwmEU— Dmitry Chastuhin (@_chipik) July 15, 2020Last week, SAP released security patches to address the RECON (Remotely Exploitable Code On NetWeaver) flaw, warning that it could be exploited by attackers to take over corporate servers.

The flaw was discovered by security firm Onapsis, according to the experts, the RECON vulnerability allows an attacker to create an SAP user account with maximum privileges on SAP applications exposed online, this means that he will take full control over the compromised SAP systems.

The RECON issue resides in the SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 to 7.50, which is a core component in most SAP environments.

The component is used in several popular SAP products, including SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, and SAP Solution Manager (SolMan).

RECON is caused by the lack of authentication in an SAP NetWeaver AS for Java web component.

Onapsis experts warned that 40,000 SAP customers could be impacted and estimated that there were at least 2,500 vulnerable systems exposed online.

The PoC exploit for the RECON flaw cannot be used to create an admin account, but exploits the flaw vulnerabilities to check if a SAP server is vulnerable to attacks and to download any ZIP archive from the vulnerable server.

Researchers from threat intelligence firm Bad Packets observed “mass scanning activity” that started since Wednesday, July 15, at around 6 PM UTC.

Mass scanning activity started around 2020-07-15T17:48:37Z. Query our API for “tags=CVE-2020-6287” for a full list of source IP addresses and relevant indicators. #threatintel https://t.co/Xclzar9QnM— Bad Packets (@bad_packets) July 16, 2020Unfortunately, it’s not possible to determine if the scans are conducted by security experts searching for vulnerable SAP installs of by bad actors.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to patch their internet-facing systems as soon as possible. If not possible, organizations could apply mitigations proposed by SAP to its customers

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Recon vulnerability)

The post Experts warn of massive internet scans for SAP systems affected by RECON Vulnerability appeared first on Security Affairs.