New Malware Threatens SAP E-Recruiting Systems

Feb 9, '21 by Joerg Schneider-Simon

Cyberattacks and malware threats are becoming more sophisticated by the day, including attacks that target SAP E-Recruiting systems.

In August 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) to warn businesses about a new type of malware.

It’s a remote-access Trojan virus that, once installed, gives hackers access to compromised computers. North Korean hackers use it to reportedly spy on officials who work in government contracting firms. CISA has given this malware the name “BLINDINGCAN.”


CISA and FBI are confident that state-sponsored North Korean hackers, collectively known as the Lazarus Group (also dubbed Hidden Cobra or Guardians of Peace), are behind the spread of BLINDINGCAN.

They believe that Hidden Cobra uses this malware to gain intelligence about vital energy and military technologies.


The FBI further maintains that actors from Hidden Cobra use variants of the malware in addition to proxy servers to remain present on victim networks and exploit these networks further.

The cyber attackers identify high-priority targets and research them extensively through professional and social networks. They then pretend to be recruiters, sending victims documents that appear to be job postings but contain malware.

An example of this comes from early in 2020, when alleged North Korean hackers targeted government contractors. This threat hosted its command and control (C2) infrastructure by utilizing various countries’ compromised infrastructure and distributed implants on their victim’s systems.

More on State-Sponsored North Korean Cyber Attack Campaigns

The world is no stranger to North Korea’s social engineering and employment scam strategies. State-sponsored North Korean hackers used a similar means of cyber espionage to attack Israel’s defense sector.

Israel’s Ministry of Foreign Affairs reported that the attackers created fake LinkedIn profiles. The hackers pretended to be CEOs, managers, leading HR officials, and Israeli representatives of multinational companies. They then got in touch with employees working in leading Israeli defense companies to develop discussions and tempt them away with bogus job opportunities.

The North Korean hackers attempted to compromise victim employees’ computers by infiltrating their networks and gathering sensitive information related to security. They further tried to use each businesses’ website to gain access to their security systems.

Upon infecting a victim’s computers with the virus, the attackers gathered intelligence about the relevant business’s day-to-day activity as well as its financial standing. Gathering fiscal information from different companies is likely an attempt to steal their money. Money theft and espionage combined are a signature North Korean attack strategy.

Another detailed report stated that North Korean attackers didn’t just use email to get in touch with their contacts but also used Skype to conduct face-to-face interviews online.

It’s rare for nation-state cyber-intelligence espionage units to initiate direct contact with their victims, aside from using phishing emails. However, Hidden Cobra uses this tactic liberally to ensure their attacks are successful.

Read more about government and SAP cybersecurity here.


The MAR released by CISA reveals cyber attackers remotely control the BLINDINGCAN malware using various companies’ compromised infrastructure. The malware allows them to:

  • Gain information about all the disks installed on the system, including their disk types and the free space on each disk
  • Create, begin, and end new processes and their primary threads
  • Gain information on the operating system version in use
  • Search for, write, read, execute, and move files
  • Gain access to directory or file timestamps, and modify them
  • Identify victim’s local IP address
  • Identify the compromised system’s media access control address
  • Change the present directory for a file or process
  • Permanently delete the malware and all its associated effects from the compromised system

How Malware Like BLINDINGCAN Threatens SAP Systems

Many organizations falsely believe their SAP E-Recruiting systems to be inherently secure. However, since SAP is such a huge system, it has its share of vulnerabilities.

SAP E-Recruiting systems are vulnerable to malware like BLINDINGCAN, since candidates typically are asked to upload files during the recruiting process.

SAP E-Recruiting systems are vulnerable to malware like BLINDINGCAN, since candidates typically are asked to upload files during the recruiting process.

And these vulnerabilities have only grown in breadth during the pandemic and the resultant increase in remote work, as the majority of hiring processes are now taking place online.

Unfortunately, some cybersecurity teams may not realize that even advanced anti-virus software can’t detect malware in these files, so cybercriminals can get through security boundaries and upload malicious content.

How to Protect Your SAP E-Recruiting System

CISA recommends various preventative measures that decrease the possibility of these attacks:

  • Scan SAP systems for all known vulnerabilities, such as missing security patches, dangerous system configurations, and vulnerabilities in SAP custom code.
  • Apply missing security patches immediately and institutionalize security patching as part of a periodic process
  • Ensure secure configuration of your SAP landscape
  • Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
  • Analyze systems for malicious or excessive user authorizations.
  • Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
  • Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
  • Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
  • Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

Out of this list, CISA “strongly recommends” applying critical patches as soon as possible. But fewer than 30% of organizations that use SAP systems apply patches immediately. Most apply them once every six months, and 13% never use patches at all.

You can keep your organization’s SAP system safe by signing up for bowbridge’s Secure Web Dispatcher, which enhances security and compliance for SAP applications by:

  • Shielding vulnerabilities in SAP Web applications
  • Automatically updating WAF rules and virtual patches
  • Enforcing Transport-Layer Security (encryption and authentication)
  • Supporting/bolstering PCI compliance

CISOs and SAP managers are facing enemies who possess plenty of motivation and plenty of resources. To fight back will require diligence, teamwork, and smart solutions to help mitigate vulnerabilities – before they’re exploited.

Can SAP E-Recruiting Expose Your Company to Risk?