What SAP customers can learn from the LinkedIn Incident

It might appear somewhat ironic that I’m using LinkedIn to publish a blog article comparing the LinkedIn attack that happened in 2012, with the current threat situation for SAP customers, however before we dive into the details, this article was inspired by Podcast Episode 86 of Darknet Diaries:

The LinkedIn Incident - Darknet Diaries EP86

You should check out the other episodes of the podcast “Darknet Diaries” by Jack Rhysider and his team.

As a LinkedIn member, there’s obviously no need for me to explain the purpose of LinkedIn. Let’s briefly touch on what SAP is, since this may be useful for some readers. SAP is a German software company based in Walldorf, and they are the market leader in enterprise application software. Many global organizations use products from SAP to maintain and control sensitive business processes, and to store and maintain enterprise-critical data. SAP provides solutions for diverse industry sectors addressing areas such as human resources, enterprise resource planning (ERP), customer relationship management (CRM), and several other areas.

LinkedIn Incident - the Background

A hacker identified a LinkedIn Engineer who works from home. This engineer used a remote VPN tunnel to access the corporate environment.

The attacker exploited vulnerabilities within the engineer’s private network, and a personal web server owned by the engineer was used as the entry gate. To sneak into the engineer’s LAN the attacker exploited a vulnerability within the webserver. Once in, the threat actor could scout for a way to gain access to the corporate network of the engineer’s employer, which happened to be LinkedIn.

The engineer's employer and position were publicly known since the information was maintained ... - you guessed right - in his LinkedIn Profile. After using a set of attack methods on the engineer’s local network that includes keyloggers, brute force, port scanning, etc., the attacker found and infiltrated the PC that established the VPN connection. With that access, they could now impersonate the engineer, and gain access to the LinkedIn User Database executing a download of millions of records.

The LinkedIn Database could be SAP

The LinkedIn example illustrates how threat actors could gain access to the home network of any employee that they believe has access to the data they are looking for. The information needed to select the correct target person can be found on public social media platforms such the one from LinkedIn. With the right account, they can gain access and execute malicious activities within the enterprise application software. Buried below millions of log rows the attacker's activities will be recorded in the employee’s account making it almost impossible for the organization’s security teams to find it before any harm is done.

While the LinkedIn incident appeared in 2012, the situation has been heightened due to the global pandemic crisis. It is now more likely that threat actors can find access via poorly secured private networks than ever before.

How to protect your organization

A variety of measures exists that reduces the likelihood of a successful attack. Educating employees not to share sensitive information on social media platforms, is maybe a good start. However, it’s the purpose of professional networking platforms such as LinkedIn, to show and share such information. It may still be wise to check the privacy options to reduce the visibility to connected persons.

Individuals should receive training on how to be mindful about what they do, and what information they share. In reality, however, organizations have little means and typically not the capacity to protect their employees' home network. While professional VPN solutions will isolate a device from the LAN once connected to the corporate network, this is no guarantee that the PC hasn’t already been infiltrated before the connection was established. Bring-your-own-device policies, also increase the risk of a successful attack.

Enterprises need to focus on securing and surveilling the environments that they control. Monitoring, filtering, and segmenting the network according to criticality and purpose is a mandatory action. SAP systems should be placed in dedicated network segments separated from the client network segment. A next-generation firewall such as FortiGate provides additional protection. Their Intrusion Prevention Systems (IPS) ships with attack-detection patterns that are specific to protecting SAP.

A further key element to securing sensitive data in SAP is a holistic cybersecurity program that covers the hardening of the application stack, monitoring security-relevant actions and eliminates the vulnerabilities in the standard program by installing patches. Additionally, the custom coding for SAP needs to be scanned and weaknesses eliminated. This might sound like a major challenge, but it can be significantly simplified with a dedicated cybersecurity platform for SAP such as SecurityBridge. If you want to learn more, please feel free to reach out to me, or visit SecurityBridge.com.