Feds Warn Cybercriminals Are Targeting SAP, Oracle ERP Applications

The U.S. Department of Homeland Security issued an alert Wednesday morning warning that cybercriminals are targeting SAP and Oracle’s enterprise resource planning (ERP) software.

The warning is based on new threat intelligence from the dark web revealing a dramatic rise in cyber attacks on ERP systems thanks to more than 9,000 known security vulnerabilities. For this reason, cybercriminals, nation-state actors and hacktivists are expanding their operations and campaigns to target these high-value assets, according to a threat report from vendors Digital Shadows and Onapsis.

Some 17,000 applications have been found to be exposed, the report said, with thousands of organizations across a multitude of verticals and countries directly at risk of espionage, sabotage and financial fraud.

[RELATED: CRN Exclusive: ERP Security Startup Onapsis Plans To Double Down On The Channel With $31 Million Round]

’Threat actors are continually evolving their tactics and targets to profit at the expense of organizations,’ Rick Holland, Digital Shadows’ CISO and VP of Strategy, said in a statement. ’On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, we were surprised to find just how real and severe this problem is.’

Neither company immediately responded to a request for comment.

Bad actors have engaged both in hacking as well as distributed denial of service (DDoS) attempts to compromise and disrupt the operations of high-value ERP assets, according to the report. Today’s US-CERT (United States Computer Emergency Readiness Team) alert comes two years after the team warned about a significant threat associated with the abuse of an old vulnerability in SAP applications.

Specifically, Digital Shadows and Onapsis found that there’s been a 100 percent increase in the number of publicly-available exploits for SAP and Oracle ERP applications over the last three years, as well as a 160 percent jump in activity and interest around ERP-specific vulnerabilities from 2016 to 2017.

As a result, the report said bad actors have expanded their tactics, techniques and procedures to specifically target ERP applications. For instance, hacktivist groups such as those affiliated with Anonymous have targeted ERP platforms in more than nine operations since 2013 in hopes of penetrating and disrupting them.

For nation-states, meanwhile, compromising ERP applications offers the opportunity to access highly-sensitive information and disrupt critical business processes. In addition, well-known malware kits such as Dridex have been evolved to steal user credentials and data from ERP application sitting behind the firewall.

The research also discovered 545 SAP configuration files publicly exposed on misconfigured FTP and SMB. This makes it easier for attackers to locate sensitive files on an organization’s network, thereby reducing the effort required once bad actors gain access.

The ERP attack surface continues to expand, meanwhile, as cloud, mobile, and digital transformation efforts gain more traction, according to the threat report. More than 17,000 SAP and Oracle ERP applications were found to be exposed on the internet, many of which were running vulnerable versions or unprotected components.

And researchers have found that threat actors have been actively sharing information to take advantage of this opportunity.

The vast majority of large organizations rely on products like SAP Business Suite, SAP S/4HANA and Oracle E-Business Suite/Financials to support business processes such as payroll, treasury and inventory management. But prior to Wednesday’s report, cybersecurity issues associated with ERP had been largely ignored due to the lack of publicly-disclosed breaches and information about threat actors.

’By showing how these applications are being actively targeted by a variety of threat actors across different geographies and industries, we hope to overcome the misconceptions in the industry,’ Juan Pablo Perez-Etchegoyen, Onapsis CTO, said in a statement.