Hackers have stolen $10 million from SAP and its business-critical applications, a security researcher has found.
In a new blog post published Friday, Daniele Zagaria, a senior researcher at security firm Symantec, said that the attackers managed to take advantage of a vulnerability in SAP’s security software called Intercom that let them gain remote access to SAP servers.
The attackers could also have accessed SAP’s database through a flaw in its remote access management software.
Zagaria says that Intercom has been in use since 1995, and that the flaws are not being patched, but that SAP has been working on fixing them.SAP said it is aware of the issue and has updated its web portal to include a “secure login” button.
“We are actively working to resolve this issue as soon as possible,” the company said in a statement.
Security firm Symantsec said in its report that it is also aware of an issue in SAP that allows attackers to access SAP’s business-management software through a vulnerability that the firm has called “a vulnerability in the database authentication service”.
“This could be used to steal the password for a SAP employee,” the firm said.”SAP is actively working on improving its security, but this vulnerability should help make that a little easier.”
The breach comes at a time when SAP is under fire for its use of the SAP Application Security Suite, which is designed to protect SAP’s SAP products.SAS has been forced to defend itself against attacks because of the vulnerabilities, which were discovered by a security firm called Proofpoint in April and are being investigated by SAP.
However, SAP’s chief executive, Michael Sivak, told a parliamentary hearing last month that he was not aware of any vulnerabilities in SAP products or in the application software itself.
Sap has defended itself against the attacks and has said that it will address the problems in its own application.
“We have fixed some of the issues in SAP, but there are still a lot of things that need to be fixed,” Zagarian told Reuters.
SAP has said it plans to deploy the latest version of Intercom in October, which will allow SAP’s users to remotely log into SAP servers and other SAP services.