The report shows a dramatic rise in cyberattacks on widely-used ERP applications such as SAP and Oracle – which currently have a combined 9,000 known security vulnerabilities.
It also highlights an increase in attacks on these systems by nation-state actors, cybercriminals and hacktivists. Included are both hacking and DDoS attempts to disrupt the operations of these high-value assets. This convergence of threats puts thousands of organizations directly at risk of espionage, sabotage and financial fraud.
Critical, but far from new
This research is so critical that the Department of Homeland Security’s US-CERT issued an alert warning of the risk of these ERP application attacks. Attacks of this nature were first warned about in May 2016. The alert included the exploitation of 36 global organizations through the abuse of a then five-year-old vulnerability in SAP applications.
These warnings have proven to be prescient with the new research revealing:
- Cybercriminal organizations exploit ERP applications, leveraging known vulnerabilities and targeting high-value assets such as SAP Hana. Over the last three years, there was a 100 percent increase in the number of publicly-available exploits for SAP and Oracle ERP applications.
- Well-known hacktivists and cyber criminal groups are expanding their tactics, techniques and procedures to now specifically target ERP applications.
- Well-known malware kits such as Dridex are being evolved to steal user credentials and data from behind-the-firewall ERP applications.
- Nation-state affiliated actors have compromised ERP applications in order to access highly-sensitive information and disrupt critical business processes.
- Third parties and employees are exposing information that can provide highly valuable to sophisticated actors. The research discovered 545 SAP configuration files publicly exposed on misconfigured FTP and SMB. These not only provide valuable information for attackers to locate sensitive files on organizations’ networks. They also greatly reduce effort once they gain access to an organization’s network.
Expanding the attack surface
Furthermore, cloud, mobile and digital transformations are rapidly expanding the ERP attack surface. More than 17,000 SAP and Oracle ERP applications are exposed on the internet, many running vulnerable versions and unprotected components. Cybercriminals are actively sharing information to take advantage of this opportunity.
The vast majority of large organizations have implemented ERP applications from vendors such as SAP and Oracle, relying on products like SAP Business Suite, S/4Hana and Oracle E-Business Suite/Financials. They rely on these applications to support business processes and hosting data.
Cybercriminals are evolving
Prior to this report, the ERP cybersecurity problem had remained largely ignored due to the lack of publicly-disclosed breaches and information about the threat actors. Many information security teams considered it to be a complex and obscure domain.
“Threat actors are continually evolving their tactics and targets to profit at the expense of organizations. On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, it surprised us to find out just how real and severe the problem is,” said Rick Holland, CISO and VP of Strategy at Digital Shadows.
“This collaboration with Digital Shadows provides breadth and depth of threat intelligence,” said Juan Pablo Perez-Etchegoyen, CTO at Onapsis. “By showing how these applications are a target of a variety of threat actors across different geographies and industries, we hope to overcome the misconceptions in the industry and help CIOs, CISOs and their organizations head off and manage the risk of wide-scale attacks on ERP applications, which could have a devastating impact, as well as macroeconomic implications.”