A new joint research report prompted the Department of Homeland Security's US-CERT unit today to issue a security advisory warning organizations that attackers are increasingly exploiting vulnerabilities in Enterprise Resource Planning (ERP) software from companies like SAP and Oracle.
A press release issued in conjunction with the report warns that researchers have seen a 100 percent increase in publicly available exploits for SAP and Oracle ERP applications over the last three years, and a 160 percent increase in cybercriminal activity and interest in ERP vulnerabilities from 2016 to 2017.
Co-authored by Onapsis and Digital Shadows Ltd., the report (1, 2), explains that ERP solutions such as HR, CRM and supply chain management applications make excellent targets, as they support organizations' most critical business processes, and offer windows into organizations' most precious data, including payroll information and financials.
And yet, many companies struggle to keep their ERP systems properly secured and patched -- often because they lack solid intelligence on threat actors' tactics. (The report cited more than 4,000 security patches for SAP vulnerabilities and over 5,000 for Oracle.)
To back up its assertion, the researchers cited evidence of hacktivist actors, including members of Anonymous, targeting ERP platforms in more than nine operations since 2013, in at least some cases compromising or disrupting key business applications.
The report also notes that several botnets associated with the banking malware Dridex had their configuration files updated in 2017 and 2018 in order to target commonly implemented SAP client software and help attackers steal user credentials so they could gain access to sensitive data.
Due to substandard application-layer patching practices, most attacks continue to get away with exploiting known ERP vulnerabilities -- including some that were disclosed years ago -- rather than seek out zero-day bugs, the report continues. One dark web marketplace listed in the report, 0day[.]today, offered roughly 50 SAP exploits for SAP and 30 for the Oracle EBS technology stack.
The report also warns that connecting ERP solutions to the cloud only increases the attack surface. "We have identified more than 17,000 SAP and Oracle ERP applications directly connected to the internet, many belonging to the world's largest commercial and government organizations," the report states, noting particularly high levels of exposure in the U.S., which is home to 77 percent of the world's internet-exposed Oracle apps and 17 percent of the world's internet-exposed SAP apps (tops in both categories).
But internal ERP applications are not immune from attack either, especially due to unsound employee practices.. "We discovered over 500 SAP configuration files on insecure file repositories over the internet, as well as employees sharing ERP login credentials in public forums," the report states.
SAP provided the following comment to SC Media: "SAP stands for secure, reliable and trustworthy software solutions. As the global leader in business software, we take security seriously and implement best practices in our security processes that include development, operations, tools and employee training. Confidentiality, integrity, availability and data privacy are core values for SAP. Our recommendation to all of our customers is to implement SAP security patches as soon as they are available - typically on the second Tuesday of every month to protect SAP infrastructure from attacks."
Eric Maurice, director of security assurance at Oracle, also provided a statement: “Oracle issued security updates for the vulnerabilities listed in this report in July and in October of last year. The Critical Patch Update is the primary mechanism for the release of all security bug fixes for Oracle products. Oracle is focused on security and continues to investigate means to make applying security patches as easy as possible for customers. Oracle recommends that customers remain on actively-supported versions and apply security updates as quickly as possible."