Homeland Security warns businesses of Oracle and SAP ERP vulnerabilities

Oracle and SAP urge customers to apply patches to secure systems against hackers

Homeland Security has taken the step of issuing an alert to businesses using Oracle and SAP's ERP applications, warning that the software is at risk from hackers.

Firms in the UK, US and Germany are most at risk from the threat, said security firms Digital Shadows and Onapsis, both of which warned that state-sponsored actors and hacktivist groups are actively targeting the ERP applications to disrupt critical business operations and steal personal credentials.

The research focused exclusively on vulnerabilities found in systems developed by Oracle and SAP, the two largest ERP vendors collectively used by the vast majority of large businesses.

More than 200 SAP exploits and 2,500 Oracle exploits dating back over a decade are detailed in the 'ERP Applications Under Fire' report. One example the rearchers highlighted was the use of several botnets of the Dridex malware, set up over 2017 and 2018, to allow cyber criminals to steal valid SAP user credentials and access companies' internal IT environments.

Advertisement
Advertisement - Article continues below

Oracle said it patched the listed vulnerabilities in July and October 2017, and both firms advised customers to apply updates to their systems as soon as possible.

"While some executives still consider 'behind-the-firewall' ERP implementations to be protected, we have observed clear indicators of malicious activity targeting environments without direct internet connectivity," the report read.

"Further, there is an astonishing number of insecure ERP applications directly accessible online, both on-premise and in public cloud environments, increasing the attack surface and exposure."

Publicly-available exploits have also risen alongside a growing interest in historical vulnerabilities that can still be exploited today. The researchers identified criminal forums, dark web marketplaces and dedicated exploit sites as a handful of locations on which exploits are traded - with Twitter one of the main sites where exploits are mentioned.

The findings have led the US Computer Emergency Readiness Team (US-CERT) to issue an official warning - urging businesses to review the report and take measures to protect themselves against these vulnerabilities.

"The Critical Patch Update is the primary mechanism for the release of all security bug fixes for Oracle products," an Oracle spokesperson told IT Pro. "Oracle is focused on security and continues to investigate means to make applying security patches as easy as possible for customers. Oracle recommends that customers remain on actively-supported versions and apply security updates as quickly as possible."

An SAP spokesperson added: "As the global leader in business software, we take security seriously and implement best practices in our security processes that include development, operations, tools and employee training. Confidentiality, integrity, availability and data privacy are core values for SAP.

"Our recommendation to all of our customers is to implement SAP security patches as soon as they are available - typically on the second Tuesday of every month to protect SAP infrastructure from attacks."

Although US businesses are most vulnerable - with 77% of Oracle's E-Business Suite (EBS) users and 17% of SAP users based there, according to the report - the UK is the most exposed nation in Europe for internet-facing EBS applications, while Germany has the most internet-facing SAP applications.

A spokesperson for the UK's National Cyber Security Centre (NCSC) told IT Pro it would not be issuing guidance at this time as the report highlights a trending vulnerability, as opposed to a specific vulnerability, and that the US-CERT guidance covers the issue adequately.

Advertisement
Advertisement - Article continues below

The spokesperson added: "The NCSC advises that all businesses protect their systems from threats by installing updates and patches as soon as they become available, to ensure that you are protected as soon as the vendor releases updates regardless of the specific vulnerability.

"We also recommend that you follow vendor guidance on securing ERP systems in particular."

A timeline of incidents within the report also illustrated the rise in hacktivists and cyber criminals exploiting ERP vulnerabilities - spanning Sudoh@ck3rs' targeting of an internet-facing SAP portal in 2013, to cyber criminals exploiting WebLogic to use Peoplesoft to mine cryptocurrency.

In the wake of its findings, the report recommended that all businesses take steps to mitigate the risk of being targeted, saying: "ERP applications are clearly a target for cyber attackers and it is no longer an option to rely solely on identity management and segregation of duties controls, as they are ineffective to prevent or detect these evolved risks."

These measures include identifying ERP application layer vulnerabilities, monitoring for leaked ERP data and user credentials, as well as identifying and removing any dangerous interfaces and APIs between the different ERP applications in an organisation.

Picture: Bigstock

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/government-it-strategy/28305/ir35-news
Policy & legislation

Businesses urged to continue IR35 preparations despite Conservative review pledge

3 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/wifi-hotspots/31488/how-to-boost-your-business-wi-fi
wifi & hotspots

How to boost your business Wi-Fi

22 Oct 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019