Press release

Onapsis Open-Sources Detection Signatures to Help Global SAP Customers Protect Against New Critical Exploits Dubbed ‘10KBLAZE’

Sponsored by Businesswire

the global leader in business application cyber resilience, today
announced the immediate release of threat intelligence that helps SAP
customers to detect and respond to recently released exploits of common
critical SAP misconfigurations that, if not properly secured, can be
abused by hacktivists, cyber-criminal groups and nation-state threat
actors to take full command and control of their business-critical
information and processes. The
complete 10KBLAZE Threat Report and open-source signatures are available

Given the criticality of the risk posed by 10KBLAZE and insights from
its threat intelligence capabilities, Onapsis has decided to open-source
components of its Onapsis Security Platform and make intrusion detection
signatures immediately and freely available to all SAP customers.
Further, Onapsis has coordinated a global response with international
government authorities, global SAP service providers and leading cyber
threat detection and incident response firms to enable detection,
monitoring, and remediation of affected organizations globally.

Onapsis’ Research Labs became aware of the release of these new exploits
on April 23rd. The exploits can be leveraged to abuse a critical
configuration issue in SAP NetWeaver installations (including S4/HANA)
that, if not corrected as recommended by SAP, could lead to a full
system compromise by attackers, without even requiring a valid SAP user
ID and password.

“This risk to SAP customers can represent a weakness in affected
publicly-traded organizations that may result in material misstatements
of the company’s annual financial statements (Form 10-K),” said Larry
Harrington, former Chairman of the Board of the Institute of Internal
Auditors (IIA), “Further, a breach against these business-critical
applications would likely result in the need for disclosure given the
recent SEC’s Cybersecurity Disclosure Guidance.”

Based on publicly available information, Onapsis estimates that more
than 50,000 companies and a collective 1,000,000 SAP systems are
currently running the potentially-affected components. Onapsis’ research
gathered over 10 years calculates that nearly 90% of these systems
suffer from the misconfigurations for which these exploits are now
publicly available.

“SAP released relevant security notes and guidance to help customers
secure these critical configurations several years ago. The onus is on
service providers and customers to implement, enforce and monitor
tighter security controls on the systems. This can be very challenging
and take significant resources, but the stakes are simply too high not
to make the suggested configuration changes,” said Mariano Nunez, CEO
and Co-founder, Onapsis, Inc. “While Onapsis customers have had
protection against the 10KBLAZE exploits for more than 5 years, in the
face of such an increased risk, we feel it is our obligation to support
all SAP customers by making detection capabilities that help them
protect their business-critical applications open and freely available.”

Onapsis has released a comprehensive threat report with full details on
the 10KBLAZE exploits, including instructions for
monitoring, detecting and mitigating business exposure and application
vulnerabilities targeted by 10KBLAZE.

executive brief, the full threat report and open-source signatures can
be downloaded here

About Onapsis
Onapsis helps organizations to be cyber
resilient by protecting their business-critical applications, keeping
them compliant and safe from insider and outsider threats. Our patented
solutions are used to accelerate digital transformation initiatives –
including transitioning to the cloud – by providing actionable
intelligence, continuous monitoring and automated governance for ERP,
CRM, PLM, HCM, SCM, BI and Cloud-based business-critical applications.

As the proven market leader, global enterprises trust Onapsis to help
modernize and strengthen their SAP and Oracle E-Business Suite
applications, and to make sure security, IT, DevOps and compliance teams
are best prepared for the business needs of the future.

Headquartered in Boston, MA, and with global operations, Onapsis proudly
serves more than 300 of the world’s leading brands and organizations,
including many of the Global 2000. Through our unique strategic
alliances with leading consulting and audit firms such as Accenture,
Deloitte, IBM, Infosys, PwC and Verizon, Onapsis solutions have become
the de-facto standard in helping organizations protect what really

For more information, connect with us on TwitterGoogle+
or LinkedIn.