pixel_dreams - Fotolia

ERP applications are under cyber attack, research confirms

ERP applications are increasingly being targeted by cyber criminals, hacktivists and nation-state actors, a report reveals

Cyber attackers are exploiting enterprise resource planning (ERP) applications and expanding their operations to target high-value assets, new threat research has confirmed.

The research by digital risk management firm Digital Shadows and ERP cyber security and compliance firm Onapsis reveals evidence that the business-critical applications running the world’s biggest organisations are under attack.

The report shows a dramatic rise in cyber attacks on widely used ERP applications such as SAP and Oracle, which currently have a combined total of 9,000 known security vulnerabilities, and also highlights an increase in attacks on these systems by nation-state actors, cyber criminals and hacktivists.

The attacks on ERP applications include compromise and distributed denial of service (DDoS) attacks aimed at disrupting business operations – a convergence of threats, the report said, which puts thousands of organisations and their crown jewels directly at risk of espionage, sabotage and financial fraud.

The report has prompted the US Computer Emergency Readiness Team (US-Cert) to issue an alert warning of the risk of these ERP application attacks. In May 2016, the US-Cert issued an alert advising of a significant threat that included the exploitation of 36 global organisations through the abuse of a then five-year-old vulnerability in SAP applications

In July 2017, Neil MacDonald, distinguished analyst at Gartner, predicted that as financially motivated attackers turn their attention “up the stack” to the application layer, business applications such as ERP, CRM and human resources would become attractive targets.

“In many organisations, the ERP application is maintained by a completely separate team and security has not been a high priority. As a result, systems are often left unpatched for years in the name of operational availability,” he wrote.

Read more about SAP and security

The new research shows that cyber criminal organisations are actively exploiting ERP applications using known vulnerabilities and targeting high-value assets such as SAP Hana.

According to the research report, there has been a 100% increase in the number of publicly available exploits for SAP and Oracle ERP applications in the past three years and a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.

Well-known hacktivists and cyber criminal groups are expanding their tactics, techniques and procedures to specifically target ERP applications, the report said, with hacktivist groups, such as those affiliated with the Anonymous collective, expanding their operations to include penetrating and disrupting mission-critical ERP platforms in more than nine operations.

In addition, well-known malware kits such as Dridex are being evolved to steal user credentials and data from behind-the-firewall ERP applications and nation-state affiliated actors have been linked to the compromise of ERP applications to access highly-sensitive information and/or disrupt critical business processes.

Third parties and employees are exposing information that can provide highly valuable to sophisticated actors, the report warns. Researchers discovered 545 SAP files publicly exposed due to misconfiguration, which provides valuable information for attackers to locate sensitive files on organisations’ networks.

Factors expanding the ERP attack surface

Cloud, mobile and digital transformations are also rapidly expanding the ERP attack surface, the report warns. Researchers found more than 17,000 SAP and Oracle ERP applications to be exposed on the internet, many running vulnerable versions and unprotected components and belonging to the world’s largest commercial and government organisations, with the highest levels of exposure in the UK, Germany and the US.

“Threat actors are well aware of this and are actively sharing information across the dark web and criminal forums to find and target these public applications,” the report said.

The vast majority of large organisations have implemented ERP applications from suppliers such as SAP and Oracle, the report said, relying on products like SAP Business Suite, SAP S/4Hana and Oracle E-Business Suite/Financials to support business processes.

These include payroll, treasury, inventory management, manufacturing, financial planning, sales, logistics, billing and hosting data such as financial results, manufacturing formulas, pricing, critical intellectual property, credit cards and personally identifiable information (PII) from employees, customers and suppliers, among other sensitive information. 

Until now, the report said the ERP cyber security problem has largely been ignored due to the lack of publicly-disclosed breaches and information about the threat actors in what was considered by many information security teams to be a complex and obscure domain. 

“Threat actors are continually evolving their tactics and targets to profit at the expense of organisations,” said Rick Holland, CISO and vice-president of strategy at Digital Shadows. “On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, we were surprised to find just how real and severe the problem is.”

A breadth and depth of threat intelligence

Juan Pablo Perez, CTO of Onapsis, said the study provides a breadth and depth of threat intelligence that is unprecedented.

“By showing how these applications are being actively targeted by a variety of threat actors across different geographies and industries, we hope to overcome the misconceptions in the industry and help CIOs, CISOs and their organisations head off and manage the risk of wide-scale attacks on ERP applications – which could have a devastating impact, as well as macroeconomic implications.”

The report warns that while ERP applications are being actively targeted by a variety of cyber attackers across different geographies and industries, traditional controls of ERP application security such as user identity management and segregation of duties are ineffective to prevent or detect the observed techniques used by attackers.

“While some executives still consider ‘behind-the-firewall’ ERP implementations to be protected, we have observed clear indicators of malicious activity targeting environments without direct internet connectivity,” the report said.

“Further, there is an astonishing number of insecure ERP applications directly accessible online, both on-premise and at public cloud environments, increasing the attack surface and exposure.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management