“SAP systems are prime targets for attackers due to their critical role in managing core operations for large enterprises, storing sensitive data such as financial transactions, intellectual property, and personal information,” according to Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest. “Developing an exploit that can decrypt secure storage and facilitate lateral movement within SAP systems indicates a high level of technical expertise and effort, thus justifying a high price.”
For example, ReliaQuest discovered an exploit targeting SAP systems that was being advertised on a prominent cybercriminal forum for nearly $25,000 (payable in Bitcoin) and initially listed in August 2020.
The exploit purportedly facilitates lateral movement within targeted systems. “The post claims the exploit can use SAP Secure Storage to uncover credentials, elevate privileges, and eventually compromise additional SAP systems beyond the initial target,” according to ReliaQuest.