Top SAP Security Threat Hunting Strategies Used by Elite Researchers Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Top SAP Security Threat Hunting Strategies Used by Elite Researchers

October 14, 2025 • Joe South • Episode 207

Send us a text

A curiosity-fueled career moves from Atari and BBS days to leading research on a live SAP zero-day, with candid lessons on people skills, breaking into security, and holding the line when pressure spikes. We unpack how a benign SAP endpoint became an RCE chain and what it takes to defend complex systems at scale.

• early path from Commodore 64 and BBS to IT and security
• contrast between the Wild West era and today’s tool-rich learning
• help desk as a foundation for people skills and pressure
• practical advice for students on coding, protocols, Wireshark
• hiring by attitude, approach and aptitude over tool checklists
• navigating WAF pushback and risk acceptance with dev teams
• Onapsis research labs and SAP’s threat landscape
• deep-dive on the SAP 31324 Java gadget chain RCE
• attacker interest, attribution signals, and factory impact
• offensive research versus traditional pen testing
• building culture that rewards questions and learning

Find us: onapsis.com → Research Labs. Search “Onapsis 2025 31324” for our zero-day article. SAP thanked us in their patch notes. Connect with Paul on LinkedIn to talk SAP security, offensive work, or careers.

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

SPEAKER_01: 0:53

How's it going, Paul? It's it's great to get you on the podcast. I don't know how long we've been planning this thing, but like I'm glad to get you on now because I I just looked at the rest of like my year's recording schedule and already like yeah, I'm I'm done recording for like January and February. I'm not like touching those months.

SPEAKER_00: 1:18

Well, thanks for having me, Joe, with you here so that we can have a chat. I'm looking forward to it.

SPEAKER_01: 1:24

Yeah, yeah, absolutely. So, Paul, you know, why don't we start with how you got into, you know, IT or security overall, right? Like what was the thing in your past when you were starting out that kind of prompted you down this path, right? Because it's not necessarily a normal path, right? I mean, you're you're a professional looking at how to break things, you know, on a daily basis. Not everyone, you know, likes that, right? Not everyone is built out for that. So what do you think were some key points that kind of maybe drove you towards it?

SPEAKER_00: 2:02

Yeah, that's a good question. So it was pretty much right as I started to become aware in life back when I was just a little kid. And I first got my hands on some of the original gaming consoles, like the Atari. But I think the pivotal moment was when I walked, when my parents were at one of the strip malls, and I noticed this Apple logo and had to walk in there. I just didn't know what it was about as a little kid. And we walked into the store and I just saw all these original Apple machines back at the time, and my child dropped, and I fell in love with this thing, and I had no idea what it was about. Eventually, I ended up with not an Apple, but a Commodore 64. And I started to learn about oh wow, there's this thing called BBS. Wow, I can actually connect over the phone. So I ended up getting my first modem. It was a 300-baud modem. And I started to find phone numbers to BBSs. I connected, I found I can run my own. I got my first BBS on a Commodore 64, and you needed a little dongle for the license key to plug it in. And it just kind of took hold, it cemented, right? When I was this, this like 10-year-old. And uh, and then from there, I just started to expand out. You know, eventually I taught myself how to program in basic. I started to go into Windows, and then I heard of this application or this software called MacAfee. Like that was brand new at the time, and I was looking at files through hex and and it just it just took hold, right? And and the first, the first software that was malicious at the time were were very much interested in making sounds off of your machine, right? So you would run this application, and then all of a sudden there was a bug in the code or or something that someone had put in there that caused your machine to make sounds or make music. And and I thought that was fascinating. The fact that things can go bad. And how does that happen? Uh how do you figure out how that happens and where do you find it? So that began, in essence, the seeds of the journey that led to a lifelong fascination and practice within information technology that led to cybersecurity. And I've been doing cybersecurity now in various domains in cybersecurity for the bulk of my career. Hmm.

SPEAKER_01: 4:38

Yeah, it's like uh it's like that unquenchable curiosity. You know, I I feel like you probably like stumbled into it, you know, early on. Like my my first experiences with computers was like trying to figure out how to get my computer to run like games on it, right? So I mean, me and my brother, real big into games. Well, my parents could only afford, you know, one console, right? So he's on the console. All right, now I gotta figure out how to play games with this thing, you know, and start diving into it like that. It's an interesting time. And I like I haven't thought about that in you know forever, right? I never thought that that would like make me more inclined towards computers or anything like that. Because after a while, I actually kind of stepped away from it, and mostly because I had to like focus on graduating high school. Because like I went through, I went from you know, being smart enough to pass everything without studying to taking like college prep classes, and it was like I have to, I have to study. Well, I don't know how to study. Like, I gotta, I gotta learn how to study now, you know, like all that stuff. So tinkering with computers kind of died off for me for a little bit.

SPEAKER_00: 5:52

Yeah, for me, I I would describe that period of time as something like the Matrix or something like the Wild West. You know, it wasn't known, it was unknown to pretty much the whole world. I mean, it was well before the internet took off. And and I mean, it was just it was awesome. It was great to be in a space that was brand new and everything was a discovery.

SPEAKER_01: 6:15

Yeah. Yeah, it's a stark contrast to today, where everything is kind of readily available. You know, like you you said that you were starting to read, you know, applications in hex. Well, you know, if someone wanted to do that today, right, there's probably a YouTube, you know, basics hex 101 video on it, right? Like, and back then, you're probably having to like go to the library, find a book on hex, figure out what it is, go translate it to what you're seeing on the computer. It's a different level of it's a different level of like interest and enthusiasm you you you have to have, you know.

SPEAKER_00: 6:55

100%. I think that that an example, one example of the difference between back then when I was getting into it, versus having a lot of different tools and technology and AI being able to bootstrap people is like the the definition or the view of the term hacker. You know, the the term hacker back then was essentially what you're describing, right? It's that curiosity. It's going in and just kind of ripping things apart, trying to understand how things work. And that's a very different connotation today.

SPEAKER_01: 7:27

Yeah. So when, you know, back then, when you started to like actually get into security, what did that look like? Because back then, you know, security wasn't a focus. It was like an afterthought. It was, you know, not really thought about much at all. So what did that look like for you? Did you kind of create your own path in security while being in another, you know, IT domain, like sysadmin or networking or something?

SPEAKER_00: 7:54

Yeah, I mean, that's a good, that's a good point. Back then, when I was running BBSs, I certainly came across hacked software, right? That was a big thing back then. But there was no focus from law enforcement, there was no focus from any from anybody, right? It just was relatively unknown. As I went into a a career, so to speak, I came into it as a help desk person, right? Like that I would think like an average or traditional path for people wanting to get into IT, you step into like a service type role, right? Where you're helping people with your knowledge situations, right? They may have situations with their operating system, they may have situations with their username, password. So that was something that that I got into. And uh and I remember being in that role as a client liaison, I started to do other things, right? So I saw opportunities to educate. And so I created internal websites, I created educational material for my clients and made sure that they were empowered with the information that I had or information that my organization, Informatics, had that we can impart to our customers and internal customers and make them more efficient. But at that same time, I remember we had like one of the big worms hit and it just fascinated all of us. It was like, what is this? Right. I remember printing it out. I remember looking at it. I think it was Melissa, I'd I'd have to double check, but that was back around 1998, 1999, somewhere around there. Had a big worm go around. And once that had happened, that was the pivotal moment for me, knowing that that was the direction I definitely wanted to take. Right. Like I enjoyed being in IT, I enjoy working with tech, and I enjoy working with people around tech. But when that worm hit, it was a jaw-dropping event. And so, yes, I was familiar with all the other things before, but I had not seen it impact in such a way like that worm did. And uh, and then all of a sudden, the the junkie in me, the adrenaline junkie, the ambulance, I was an EMT. So, you know, I I I hesitate to say ambulance chaser when I used to actually be on an ambulance as an empty and a firefighter at the same time. But it it's that it's that curiosity, it's that fascination of something was done with the intention to cause harm, right? And I don't want that. And I think that there's something I can do to help either prevent that or or help to remediate against it, or help to detect it. And what does that look like? And and so I just started to focus on that. And I it wasn't easy to kind of get there because that was a different time, right? And we didn't necessarily have those types of professions or or paths at the time, but I knew I wanted to focus on on malicious applications, malicious use of applications, malicious use of features that were designed and not meant to be used in a way that they were used to seek some ulterior motive.

SPEAKER_01: 11:22

Yeah, that's that's uh that's fascinating. You know, if you were to give someone, you know, maybe that's in college looking to graduate, right? Give someone advice of how they should get started in cybersecurity, what's the path that you would recommend that they start going down?

SPEAKER_00: 11:44

I think the the biggest help for me has been having knowledge and coding. That's been huge. And to your point, right, when you were talking about how do you study, how do you do those types of things, taking, taking, going through challenges that put you into that kind of space that help you to think and to help you to think I hesitate to say programmatically. I have a math degree. So math going through that math program helped me to think in a way that I didn't think before, right? I had to do proofs, I had to do theorems. And so it forced me out of my comfort zone into a place that I had to work hard to try and understand. But fundamentally, that was critical, right? Because when you step into cybersecurity, especially in what we do, right, where we focus on vulnerability research and we focus on things like the zero day earlier this year that targeted SAP, that really requires out-of-the-box thinking, right? That requires you to be able to think in ways that are out of the box. And so that's that's one, right, is to understand code, I think is important. And two is to is to get yourself out of the comfort zone and to ask questions, the ability to ask questions and to understand what types of questions to ask, right? So that that's kind of like the the conceptual level, right? In terms of execution, I would say certainly having classes or or experience to coding, having classes or experience with operating systems and networks protocols is a big one because a lot of this stuff happens over HTTP or RFC. So understanding how to take a look at those protocols, understanding how to use something like Wireshark to be able to take a look at the PCAPs, to take a look at what's actually happening on the wire. Getting, if you're in college, signing up for those internships, right? Get into those internships where you have the opportunities. If you don't have an opportunity to work in cybersecurity, try to get something where you're working in I, right? Because that's still getting you that exposure. And that's something that you can quantify on your resume. And that's something that you can build upon that gets you into those initial positions. The other side, too, that I encourage people is you may take a look at an entry-level position, right? And it may say, Oh, you need this kind of experience or that. I challenge you to apply for it anyway, especially if you have that passion and curiosity. Because I, for one, when I hire people, I look at I look at the three A's. I take a look at the attitude, approach, and the aptitude, right? So do you have so you may not necessarily have the background, you may not necessarily have the experience, but if you show me that your approach is there, that your attitude is there, and that you have the aptitude to learn this stuff, you're in, right? Because I want people who are engaged, I want people who are passionate and who have that curiosity. Because that's when you bring that and you're part of a team that has that, great creative things can happen.

SPEAKER_01: 15:10

Yeah. Yeah, no, that that makes a lot of sense. I I always, you know, I I recommend that people start in help desk. And I think you kind of like describe that too, to a certain extent, right? And I I just feel like the experience that you get on help desk, you know, when someone's angry calling you and you pick up the phone and they're yelling at you because you know something broke or whatever it might be, right? And every help desk is going to be different. But when you get that experience, you know, you're you're starting to be in an uncomfortable situation. You're getting used to being in a situation where maybe you don't know everything, you know, and you have to find out and you learn how to find out and all that sort of stuff. It pays dividends, you know, later on down the line in security when you're talking to a developer and they're very opposed to you deploying a WAF on their application, you know, that's that's public, right? Like they're very opposed to it because it breaks all all this different functionality, and now they have to, you know, work with you to build it into the WAF to allow it and everything else like that. I mean, you know, I I I I was I was deploying the AWS WAF at a company, a large automotive manufacturer, and uh you know, I got on a call with like 150 devs. It was like the the only call because everyone was having you know alleged issues with the WAF that they didn't want to you know deploy it a certain way or they didn't want to like have a certain functionality with it or whatever it was. And so I get on this call, it's an hour-long call with 150 devs across the country, and they're just they're just yelling at me, they're just berating me for an hour. And it's literally me and one other guy on the call that's a friendly. I mean, every everyone's friendly at the end of the day, but I think you understand what I'm saying. Like, there's one other guy on the call that's not even on my team, but he's a security expert on another team, and we're just listening to everything, you know, and and and they were like trying to really like get around what they were asking for. They wanted me to put in a certain rule, like all of them were on the same page. All of them wanted me to put in a certain rule into the WAF. They didn't want to tell me what the w rule was doing, and I'm like, guys, I'm a security person, right? I'm the most curious person like on this call. I promise you, I am more curious than anyone. I'm not putting in something that I don't understand what it is actually going to do 100% of the time, right? Like, this is a WAF, and that's a public application, you know. Like we're taking personal data with that, you know. And literally after an hour, I I finally put it together and I just said to him, I was like, Oh, so are you trying to just bypass the WAF altogether with this rule? Because like that's what you were describing to me that you didn't want to point out or say or anything, you know, and they're like, Well, yeah, you know, that's effectively what it would do. I was like, Okay, well, that could have been a five-minute conversation or an email because I'm just gonna tell you no, and now I'm kind of mad because you wasted my time. It's like, come on, you know, what are we doing here?

SPEAKER_00: 18:25

We all have those war stories, and I've come to through time to time, right? I sometimes I start meetings when now I'm anticipating something like that and saying, hey, this is a blame-free working group session. Yeah, let's focus on walking away with action items.

SPEAKER_01: 18:43

Yeah. Yeah, I I I remember before that call, I actually, you know, talked to my CISO and I said, Hey, look, I'm getting on a call with all these devs. They're probably gonna yell at me about something. You know, I'm sure you will hear about it during or after or whatever. But, you know, don't worry. Not gonna put the organization at risk. I'm not gonna say anything that's against, you know, what we're doing. He's he's he said, okay. And right after the call, he said he got a call from the the lead dev asking, do we really have to follow what Joe is saying? And my CISO, without even dropping a B, he goes, Whatever Joe said, you can assume I said it. Now, don't waste my time and don't waste Joe's time like that again. Like he didn't even ask what the conversation was about or anything. He's like, I don't care at this point. Like, if Joe had to go through that, you're not dealing that to me.

SPEAKER_00: 19:37

You raise a great point. Having that curiosity is fantastic. I love working with people that share the same curiosity and the same passion. Yet, one of the pitfalls is what you're talking about, right? High level, our fundamentally, our job comes with those challenges, right? Our job is not the most well received by the business.

SPEAKER_01: 20:01

It's like hated. Because all that we do is cost money and we slow things down and we make it more difficult, you know? It's like a natural adversary to some extent, you know. And I've been in environments where man, I I've been in environments where like the security was so bad that I I I wouldn't put my own personal information in their systems, you know, like that's how bad it was. And I'm over here just recommending like best practices, just normal stuff. And I'm getting shot down and denied, and I'm like, all right, well, either we're gonna get breached, like, or I need to like run for the hills before we get breached. Like that sort of situation where it's just like, and then it's refreshing when you come across an environment that you know embraces security, that actually includes you in things and whatnot.

SPEAKER_00: 20:59

I agree. I I have some ideas that I've executed in those types of environments. I'm curious as to what you've done in additional environments, right? That you've had to deal with that. What have you done that has helped navigate that complexity?

SPEAKER_01: 21:16

Yeah, so you know, typically what I'll do is I'll I'll get on the call with the leads, you know, of whatever the product might be or whatever it might be, and I'll just explain, I'll just explain to them, you know, why it's important. You know, like what, hey, you know, I got the scan over here. This is the vulnerability, this is what it's telling me that it's doing, right? And maybe we'll even test it out right there on the call because maybe I'm incorrect about something. Maybe there's a control that I don't know that that exists, you know, that they've already built in that handles it a different way, but the scanner still picks it up for some reason. If if that's not the case, you know, then we start going down the path of, okay, well, how do we actually resolve it? What does your time look like? You know, like how does the next sprint look like for you? All that sort of stuff. And really overcommunicating, right? So I'll do that call, and then, you know, I I like to hold people to what they're telling me. So I'm I'm sending a follow-up email with potentially, you know, their manager or my manager on it. Like, hey, we had this call, we discussed this, we agreed on this, moving forward, it should be done by this date, right? And if it's not, if there's more pushback, you know, then it goes up, it goes up a level, right? So it just continues to go up until someone either accepts the risk officially or it gets taken care of. And so that's what I have found that typically works. It's worked, you know, nine out of ten times, but that one time that it that it doesn't work, and that I don't want to say the one time that this process doesn't work, it was related to a single environment, that it just nothing worked because it was just it was a culture problem. Yeah, they were more focused on delivering features rather than sacrificing any sort of functionality in any way.

SPEAKER_00: 23:08

Yeah, I for me, I I was both an IT perspective when dealing with the risks that were called out, as well as from the engineering perspective. So when I was the head of the SOC, we had to handle it from the perspective of, okay, here's the C VSS score, right? Here's how it's going to impact our systems, and and here's the risk for us internally, right? So we need to prioritize this. We need to figure, we need to figure things out. And so to that end, it did involve a lot of what you're saying, especially the overcommunication and the transparency. But that's hard, right? It's hard to do from an IT perspective. When I was in engineering, when I was ahead of my engineering team, it was a different story, right? I didn't necessarily have to worry about it from that perspective. For me, it was more of a now I can have the capacity to shift left in in that whole engineering process, right? So shift it all the way left to where we're talking about it conceptually and working it into the architecture and into the designs so that we can start dealing with it right up front before it ever gets to the back end where the feature or the product is released, and then we're dealing with bugs, and then we're dealing with handling that afterwards. So, you know, it's interesting to deal with it from both perspectives. And I think it's good, to your point, to have as much diversity and perspective as possible because then it gives you the tool set to be able to communicate to various people and to try and understand their concerns and to make sure that you're voicing their concerns appropriately so that they understand you understand and that you're addressing it in a way that is amenable to them and it's amenable to the customers and it's amenable to the business, right? So sometimes in our position, we have to kind of juggle that relationship too.

SPEAKER_01: 24:58

Yeah, I feel like that's a part that's often missed, you know, in security, where we're more focused on telling someone no rather than hearing their reason behind it and you know, understanding where they're coming from. Sorry, I'm like still getting over a cold that my kids gave me last week is very very frustrating for me. It's like and they're both home at the same time, sick with the exact same thing. It's like, oh my gosh. I've been lucky. My kids have been sick, but I've gotten nothing. Man. Yeah, well, my my kids, you know, they're they're little, right? So two and a half and six months old. And so my kids, when they get sick, all that they want to do is sit on my lap. So it's like inevitable that I'm going to get sick as well. It's just come on.

SPEAKER_00: 25:47

Yeah. Definitely been down that road. And and I was walking past one of my kids the other day and he coughed right into my eye. Yeah.

unknown: 25:55

Jeez.

SPEAKER_01: 25:56

Kids, man. It's the joys of having kids, you know? I love being dad. Best job on the planet. Yeah, for sure. It's absolutely my my most favorite thing. If I could stop everything else and just be a dad, that'd be amazing. But I didn't marry a lawyer, so you know, can't do that. Well, you know, Paul, like I I wish I would have met you earlier on in my career when I was trying to get into, you know, cybersecurity. Because I'll tell you, it took me two and a half years to actually get into cybersecurity, and I was trying everything. You know, I I was on the help desk and I was forcing my way into doing vulnerability management for the company that I was at without having a security title. And I was getting certifications at the time, I was working on my master's at the time. I was applying to everything that said security analyst in the title, like any low-level title. You know, I had hundreds of applications over two and a half years. And uh it took me that long because not many people were willing to take a quote unquote risk on me when I didn't have experience with Splunk or I didn't have experience, you know, with Carbon Black or whatever you know the tool was in their environment. I'm just sitting here like, you know, I don't know how else I can prove to you that I'm ready to learn when I literally like I just I just don't have$10,000 laying around to pay for a Splunk license to deploy it in our environment for 30 days, you know, to learn it, right? Like, and how much am I really gonna learn if I do that, right? It just that was the most frustrating part for me. And it, you know, I I eventually ran into a manager that had your same mentality where it was like, hey, he doesn't have to have all of the you know hands-on skills and experience. Like, we can teach that, but we can't teach is the personality, the drive, you know, all those other intangibles that people need to actually be successful. To like, you know, hey, when I when I give you this project, I need you to figure out how to do it. You know, like that manager gave me a project and I went and learned PowerShell with it. It was like, oh, this is the easiest way to do it. Yeah, I need to I need to learn PowerShell, you know, spent a couple weeks doing it, right? Like, but you know, I I still figured it out. And that's not what a lot of people that's not what a lot of people would would do. You know, they wouldn't learn a whole like scripting language just to achieve some, you know, fairly low-level project, right? But yeah, uh, I don't know where I was going with that, but I I feel like I feel like it would have been really beneficial to meet you early on.

SPEAKER_00: 28:47

I feel like you've just given me a light bulb moment for for the first time concerning this. Because I I don't get a lot of that, right? So with what you just told me, it kind of makes me go back to what we were talking about with how I started out, right? And there was this, I knew nothing, right? Anyone at that time knew nothing. I mean, it was literally we're all learning everything at the same time. And uh, and you had to be curious, you had to have that drive. And so I wonder if if that is a prerequisite as a hiring person, right, that understands that aptitude is so important, right? And your attitude and your those three A's. They're so important to me. I've hired interns. I love having interns. I love exposing them to what we do. I love hiring interns. I don't look for unicorns because I know that uh that I can bring people on who have those three things and they grow up their skills in the environment in which I hired them into. Right. So they become part of the team, they understand that it's safe to ask questions and there's no, there's no negativity. We celebrate not only the wins, we celebrate the the quote unquote failures. I don't like using that word failure, but I'm gonna use that here. I I tend to refer to failures as opportunities, right? It's it's the whole mentality of proof of concepts, right? So you have the theory, you go ahead and test the theory. It's like a scientist, it's being a scientist, right? You have a theory, you test your theory, it didn't work, great, success. Check, we've we've uh checked that theory, it doesn't work, let's move on to the next theory, right? So that that's to me the definition of a failure. We went through, uh, tested out a theory. Let's take a look at how we tested it, it didn't work, great. If if it did work, uh we continue on with it, right? So I do believe in uh in giving anybody and everybody opportunity so long as they have the attitude that the The aptitude and the approach. You know, if their approach is they're going to interrupt people, right? If their approach is they only don't like to repeat themselves. I like to hire people and have a team where it's okay to ask questions. It's okay to repeat yourself, right? Because we we have very diverse teams. Times, not everyone speaks the same language. And even when someone speaks the same language, they interpret it differently, right? What you intend to say might not land the way that it was intended. So it's important to be in an environment where you can go ahead and repeat yourself, where you can rephrase something so that everyone has an understanding and you drive alignment and calibration, and that allows a team to be able to drive towards its goals.

SPEAKER_01: 31:43

Yeah. I mean, what you're describing there is like people skills. You know, people skills really I said this maybe last episode or a couple episodes ago, but it's a pretty common theme where, you know, it as the market becomes more saturated with more and more, you know, professionals on the marketplace, right? There's fewer roles in some instances for for these positions, right? You have to find a way to stand out. And how do you best, you know, stand out when you may have the same certification as someone else, you may have the same experience, you may have the same years of experience. The thing that'll help you stand out is the people skills at the end of the day, right? I mean, this podcast helps me in so many other ways, other than any sort of money that it brings in, which is basically nothing. It it helps me, you know, talk to people, helps me show people skills, helps me almost interview without interviewing, right? Which is hugely beneficial and it is something that I never ever expected when I started. You know, like it's just like an added benefit. I just wanted to talk to cool people about interesting things, and that was it, right? But you know, people skills are probably like the easiest way to set yourself apart because I would rather take someone that knows knows less or knows very little on a on a topic, you know, let's say vulnerability management, that can talk really well, that can go and then interact with, you know, the dev team or the engineering team or the infrastructure team and say, like, hey, can we just get this done? And before that call, I'm coaching them up, like, hey, this is why this is important, this is what this means, all that sort of stuff, right? Like, that's a I feel like that's someone that is easier to coach up and train and get them into the right, the right position, you know, for them to be successful.

SPEAKER_00: 33:40

I'll give you an example with myself for the position that I'm in at Onapsis, right? Director of research. I, for me, prior to Onapsis, I had lived in the world outside of SAP, right? So I had lived in threat intelligence, counterintelligence, doing security operations, doing engineering for threat intelligence, putting out it out as a product. So when I saw this position a couple of years ago, it captured my eye. You know, I'm looking at the job description, I'm looking at the details. It's this vulnerability research with SAP, which I'm like, this is fascinating. Up until then, I had used SAP as a consumer within a business, right? And uh, and so before I had spoken to anybody, I had put my researcher hat on, my curiosity hat on, which is pretty much who I am. And I just started to take a look at Onapsis. Okay, let's let's see what the Onapsis research labs is about. Let's see what these vulnerabilities are, let's see what the threat reports are. So I started to take a look and analyze and learn and educate myself. And then I started talking to the recruiter, and then I started talking to the chief product officer and the chief technology officer, and I'm asking them all those questions. One of the feedbacks that I got from the head recruiter at the time was that I was one of the few, if not the only, that took the time to actually research, right? So social skills, absolutely important. So is actually researching and being informed when you're talking to the people at the company when you're interviewing, right? So it's not just, yeah, I want a job, right? It's hey, all this interesting stuff that you're doing, I love it. And I want to do more. I want to be part of the solution. And when I saw what Onapsis was doing and the impact that they had working with SAP to secure customers worldwide against threats, and and I saw what SAP actually was, it blew my mind. It brought me back to that time period in my youth, which was wow, this feels like it's the matrix, right? It's the world underneath the covers kind of thing. And frankly, with all my peers, none of us were really aware of the ERP space, right? It's something that for SAP, it's something like the basis team took care of, right? And uh, and and that's that was also part of what worked for me. It was I approached it from the perspective of I'm not a candidate talking to a recruiter or to the hiring manager. I am having a professional discussion, a professional talk, like we are, right? So it's it was a chat like that, where we're talking about my experience, they're talking about their experience, the challenges, all that stuff, and creating a connection. Um, so I think that that's part of a secret sauce that can work too. Now, I will caution right that as much as those aspects can help find candidates that you might want to hire, it's also something that a candidate can use when they're interviewing to determine if that's a place where they want to be. So I use those things for myself as a candidate to make that determination. So when I I've hired here people at Onapsis, but in coming to join Onapsis, I use that. And I gotta tell you, Onapsis is quite special. I'm happy I'm here. And like you're saying, you wish we met a few years ago, which I agree. It would have been great if we met a few years ago. I wish I learned of Onapsis years ago and I got on sooner.

SPEAKER_01: 37:14

Hmm. So talk to me about ONAPSIS and the zero days that you guys found in SAP. Maybe even maybe when you're when you're done telling me about Onapsis, tell me what SAP is if someone doesn't, you know, already know and they're listening to the podcast.

SPEAKER_00: 37:33

Yeah. So Onapsis has the Onapsis research labs. And essentially that's how Onapsis had started. It started with the three founders, where they were in engagements and they were pen testing, right? They're going out there and they're in environments and they're doing pen testing and they came across SAP 14, 15 years ago, and then they were like, wow, what is this? There's bugs. So fast forward to today. Um, well, first, I think we're pretty fortunate to have founders who are still with the company that have that research mentality, right? It's it's great to be in that kind of position. It it brings joy to me to be able to do what we do and have that support from the leadership. Earlier this year, through our SAP Threat Intel Network, we captured some activity, right? And when we started to analyze that activity, we realized what had happened that ultimately led to the patch that SAP released for the zero day, which was the 2025 31324. That zero day, fascinating, very advanced. Someone had to have known the intricacies and the sophistication to be able to craft together this Java chain and be able to put the payload into that sync in the gadget chain that would ultimately lead to remote code execution. So that's what we started to see. When we took a look in our network, we started to see that activity at the beginning of the year, starting in January. And then we started to see back in March the exploration of remote code execution using the zero day. And then in April, SAP issued the patch. And then after that, we started to see a lot more use of these web shells. So we captured that activity, we captured those exploits, those attacks. And it was my team that was we spun up, we spent a lot of time looking at those attacks. We were ripping apart the PCAPs, we're doing all the work that we needed to do to deconstruct and to understand what was going on. And then we're partnering closely with SAP product security to make sure that we were passing on the intelligence and the information to them that they can use that can continue to be rolled out as patches, as notes to all of SAP customers globally. So we've been on that all year. I'm still amazed, right? We've been telling customers for a long time, just on Apsis overall, SAP is a target. We issued some reports a couple of years ago when we partnered with Flashpoint that now SAP was being talked about in the underground. It was being actively talked about across the whole spectrum of miscreants from people that don't have the knowledge, that don't have the capacity. They're using tools, right? We refer to them as script kitties, all the way up to APTs, government-sponsored groups, so on and so forth, right? We saw that there was now interest in ERP. And then here's the zero day. And sadly, a lot of companies have gotten compromised by the zero day, and even more now because of the release of the PO, the POC by Shiny Hunters. As to SAP, SAP, I believe they are the largest software company in Europe, I think the third largest in the world. They've been around for a very long time. They create this product, this suite of products that are wrapped under the name SAP. And so they are enterprise resource planning applications. And there's a whole bunch of those applications. They're targeting sectors like oil, they're targeting other types of sectors like pharmaceuticals, some specific applications, applications within the environment to for automotive, for instance, manufacturing, for hiring, for financials, for compliance. There's a whole suite of tools and capabilities that companies have in order to make sure that their businesses are running and that they stay compliant with regulations. But it is complex. And so what we refer to that information, we call that the crown jewels. So a company's crown jewels are usually are typically stored within an ERP system like SAP. And that's what we do at Onapsis. We we have our own application called the Onapsis Platform that customers can purchase and they can go ahead and roll out in their environment to assess their environment, to defend their environment, and to do code audits of their code that gets pushed out to SAP. But we also have my team in the Onapsis Research Labs where we actively work on finding vulnerabilities with an SAP. We partner with SAP, we report them to SAP. So next week is patch Tuesday. SAP will go ahead and release its patches. You'll see some patches from us, usually month to month. But on top of that, like I said, we have our intelligence sensor network. And from that, we actively monitor the ongoing attacks against SAP. We work to understand what's happening, sort of like a weather report, right? Day to day, week by week, month by month. And certainly this year has been, I think, the biggest eye-opener for a lot of companies worldwide. Because SAP really wasn't targeted before like it is now. I would consider this to be the point of no return, right? All the criminals, all the malicious actors are aware that SAP is important to companies and that if it gets taken offline, you can shut down a business as we're seeing now with some businesses out there. Their manufacturings are shut down. Huh.

SPEAKER_01: 43:17

I didn't even realize that there was active SAP threats going on in environments that were shutting down factories. So were you able to do any attack attribution to you know this to this exploit? Do you know potentially of where it came from or who put it together?

SPEAKER_00: 43:40

Now I've got a slide with some information. For the zero day, the zero day, we suspect that there was involvement from Russia or slash China. We don't know exactly who, but we suspect it's out of there. What we do know is once the web shell started to get deployed, that it was being used by Chinese actors. And now with Shiny Hunters releasing the POC, I mean the exploit's now public, right? Anyone can go ahead and use the exploit and activate it. So yeah, unfortunately, it went from very private hands to now it's very public. There are a lot of other groups that are targeting SAP. I'm pulling up a slide here because I don't remember all of them off the top of my head, but we've got like Fin7, Fin13, Cobalt Spider, Queen Lin, you know, Shiny Hunter, Scattered Spider, Lapsus, APT 41, Earth Lamia, APT 10, UNC 5221, and the list goes on. Yeah.

SPEAKER_01: 44:46

So you you said that it was a remote execution on the SAP system. But can we just talk through what it was actually doing in the system? Because you know, like you alluded that it that it's pretty complex, right? It required a lot of effort to put it together because they would have had to know, you know, a lot of inner workings of this system for them to be able to put this together. So what is it actually doing and what are some of those inner workings that it they would have to understand to kind of like put it into context, you know, for people.

SPEAKER_00: 45:23

Yeah. So let's talk about the initial zero day, right? We talk about WAFs, we talk about putting in filters into the web application firewall to be able to stop things, right? You usually go ahead and look for cross-site scripting, you look for those types of things, right? You can refer to the OWASP OWASP top 10. But in this particular case, it was a straight HTTP attack against an endpoint, the metadata uploader, which is a totally legit application with an SAP. But the payload involved this gadget chain, right? So it's a series of Java classes that were constructed together and it was passed serialized over to the endpoint metadata uploader, where at one point it's getting deserialized. And once it gets deserialized within that sync of the gadget chain is the actual payload that was malicious. So for the RCE, the remote code execution, we would see execution. Remote code execution doesn't necessarily mean a web shell is being dropped, right? Or a remote code execution can go ahead and execute a command right on the command line, for instance, and there might not be a file that's left behind. Okay. So it might run a command on there, it might run something like who am I? It might run some other type of command where you might want to run curl, for instance, to download a file or do something else that's malicious. But that's the that's the idea of this. And actually, that's the things that we started to see at the beginning of the year before the web shelves were being dropped. So we were seeing evidence of these attacks coming through this HTTP endpoint to metadata uploader, where the chain was being deserialized and executed and some sort of remote code execution was being run. Now, how do you stop that through a web application firewall? Right. Yeah. Because it looks like a legitimate request.

SPEAKER_01: 47:20

Yeah.

unknown: 47:22

Huh.

SPEAKER_01: 47:23

Yeah, it's really fascinating. I uh I keep telling myself though, like once I'm done with my PhD, I'm I'm just gonna like go be a security researcher somewhere. Like, because I find it so fascinating. Yeah, like it's so fascinating, and I I want to go more offensive threat threat intel side. That's like the area, that's probably the one area that I haven't I haven't necessarily touched, but I think I would be really good at it. So that's just yeah. Offensive in terms of like pen testing and those types of things? I wouldn't say necessarily pen testing. And don't get me wrong, I want to get my OSCP and the OSCE more of more of out of my own extreme curiosity and and need to not be comfortable, I guess. I want to get those, but you know, the the security researchers side overall, I feel like pulls a lot from pen testing to some degree, right? And so I feel like that's a good like foundational skill for that side.

SPEAKER_00: 48:24

Our pen testing is different than the traditional pen testing, right? We're not coming in and testing perimeters, we're not testing firewalls. We're going, we focus on coming into an environment and testing SAP. So we do black box testing for customers. And I love being able to do that because it challenges customer perceptions, right? So they may think that they have a level of security, and then we come in and we show that that's not the case. So our researchers not only work with SAP and understand what the vulnerabilities are, and then we work. So when I say work with SAP, we have SAP applications, right, that we test, that we work with. And then once we find those vulnerabilities, we go ahead and report them. But we also go into environments where we test actual SAP installations at customer premise. And that's that's not only a way for us to help them understand their environment and help them to gain additional security, but it's also a path for us to understand how SAP is being used that gives us insight to further our own research. So offensive security to me also means from prior experiences where I set up and ran counterintelligence operations where I engaged threat actors. So I did this at the various. If you looked at my LinkedIn profile, you can kind of get an understanding of where that might have happened. But yeah, I mean, I've been involved in engaging threat actors and getting them arrested, working with law enforcement and working with through legal channels to do botnet ticked downs to get threat actors arrested. I had a case where I investigated one of the biggest spam attacks at one company that I was at and identified who the threat actors were, passed that information over to law enforcement. We identified that that person was landing in a country that was kind of like a partner to the United States. So once that person landed, we were able to get that person arrested. Nice.

SPEAKER_01: 50:19

Wow. Well, Paul, you know, we're definitely at the top of our time, unfortunately, but I definitely want to bring you back on and talk to talk about some of that other stuff, you know, that you were doing. It's some pretty cool, interesting stuff. You know, I think you might have some good stories to talk about. But I I really appreciate you coming on and taking the time.

SPEAKER_00: 50:39

Absolutely. My pleasure. I mean, it sounds like we can have a lot to discuss, whether it's all that other stuff or whether it's advice for people trying to get in. I would love to be able to join back on.

SPEAKER_01: 50:51

Yeah. Yeah, absolutely. Well, we'll we'll definitely figure it out. But before I let you go, how about you tell my audience where they could find you if they wanted to connect with you and where they could find Onapsis if they wanted to learn more about your company and your solution?

SPEAKER_00: 51:06

Absolutely. So for my company, you can go to onapsis.com and at onapsis.com, you can look at the navigation. You can find us under the Onapsis Research Labs. There's information in there that we put up. We put up blog posts, we put up threat reports, we have webinars. We've had a lot of webinars and reports about 31324. So if you actually do a Google search for ONAPSIS in 2025 31324, you'll see our main go-to article over this zero day. SAP has actually thanked us in their patch month release notes for working with them intimately about this zero day. So that's been 31324 has been a fantastic journey. For me personally, you can probably reach me out on LinkedIn. So if you do a search, you'll see me on LinkedIn. Feel free to send me an invite. I'd be more than willing to connect with you no matter over what topic you want to discuss, whether it's SAP security, whether it's offensive security, whether it's security or IT or how to get into this, I'm more than willing to help out.

SPEAKER_01: 52:11

Awesome. Well, thanks everyone. I hope you enjoyed this episode.

People on this episode

Joe South

Host