Dozens of companies breached through SAP bug patched years ago
L33tdawg: Interested in SAP security? You might like to attend this 2-day training at #HITB2016AMS
More than 36 organizations—some in the gas, telecommunications, and steel manufacturing industries—have been breached by attackers exploiting a vulnerability in older SAP business applications that gives them remote access to highly confidential data, the US government-sponsored CERT warned Wednesday.
The attacks were carried out over the past three years by attackers exploiting the "invoker servlet," which is a set of functions in SAP applications that allows users to run Java applications without use of a password or other authentication measure. Attackers outside the targeted organizations have abused the feature to gain access to sensitive data and possibly to take control over servers that process the data, according to researchers at security firm Onapsis.