Security outfits Digital Shadows and Onapsis state in a new report that hacking activists and state-sponsored actors have been attempting to exploit Oracle and SAP platform flaws. The report states:
"ERP applications are being actively targeted by a variety of cyber-attackers across different geographies and industries…Traditional controls of ERP application security such as user identity management and segregation of duties are ineffective to prevent or detect the observed TTPs used by attackers."
Neil MacDonald from Gartner added:
“As financially motivated attackers turn their attention ‘up the stack’ to the application layer, business applications such as ERP, CRM and human resources are attractive targets. In many organizations, the ERP application is maintained by a completely separate team and security has not been a high priority. As a result, systems are often left unpatched for years in the name of operational availability.”
The Department of Homeland Security has issued a statement recommending companies follow the findings in the report.
ERP apps are now both in the cloud and also heavily relied upon by companies. This makes them a prime target for anyone looking for a method to sabotage a company or steal data.
Public exploits for both SAP HANA and Oracle SAP have doubled in the last 12 months. Darkweb demands for log in credentials have have been obtained nefariously have also increased – illustrating a growing demand for such keys to the door.
Highlights from the report:
- 500 SAP configuration files were found on insecure file repos over the internet
- 17,000 SAP and Oracle ERP apps were found directly connected to the internet
- 100% increase of public exploits for SAP and Oracle ERP apps over the last three years
Cryptomining is also trying to get into these ERP systems. Last year, an exploit for WebLogic let hackers plant crypto mining code on cloud servers and managed to generate approximately $226,000 of Monero coins. There is IRC chatter about the concept of using SAP servers to mine Monero.
How to minimise risk of attack?
Both SAP and Oracle are both advising Admins to review all ERP apps and make sure patches are all up to date and to check privilege configs so no users have higher level access than is needed. The research additionally recommends the removal of unused APIs and any log in screens that are on the general internet to reduce risk of attack. Finally, the continual monitoring from leaked ERP data and user credentials should be implemented.
"A vulnerable setting in one QA application server can result in a full compromise of the entire ERP platform."
If your organisation is running ERP applications in the Cloud as an IaaS, it is essential to realise the hosting company is usually not responsible for the security controls on your ERP platform. Hyve, however, can offer monitoring and security suite services as part of our managed services offering.