ERP applications under attack: How criminals target the crown jewels

Business-critical applications running the biggest organizations in the world are under attack, according to research from Digital Shadows and Onapsis. The report shows a rise in cyberattacks on widely-used enterprise resource planning (ERP) applications such as SAP and Oracle — which currently have a combined 9,000 known security vulnerabilities.

The report also highlights an increase in attacks on these systems by nation-state actors, cybercriminals and hacktivists that include both hacking and DDoS attempts to compromise and disrupt the operations of these high-value assets. This convergence of threats puts thousands of organizations and their crown jewels directly at risk of espionage, sabotage and financial fraud.

US-CERT issued an alert warning of the risk of these ERP application attacks. Attacks of this nature were first warned about in May 2016 when the US-CERT issued an alert advising of a significant threat that included the exploitation of 36 global organizations through the abuse of a then five-year-old vulnerability in SAP applications.

New research findings

Cybercriminal organizations are exploiting ERP applications, leveraging known vulnerabilities and targeting high-value assets such as SAP HANA:

• A 100 percent increase in the number of publicly-available exploits for SAP and Oracle ERP applications over the last three years
• A 160 percent increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.

Well-known hacktivists and cyber criminal groups are expanding their tactics, techniques and procedures (TTPs) to now specifically target ERP applications:

• Hacktivist groups, such as those affiliated with the Anonymous collective, have expanded their operations to include penetrating and disrupting mission-critical ERP platforms, having targeted these platforms in over nine operations since 2013
• Well-known malware kits such as Dridex are being evolved to steal user credentials and data from behind-the-firewall ERP applications
• Nation-state affiliated actors have been attributed for the compromise of ERP applications in order to access highly-sensitive information and/or disrupt critical business processes.

Third parties and employees are exposing information that can provide highly valuable to sophisticated actors. The research discovered 545 SAP configuration files publicly exposed on misconfigured FTP and SMB. These provide valuable information for attackers to locate sensitive files on organizations’ networks, greatly reducing effort once they gain access to an organization’s network.

Expanding the ERP attack surface

Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface. More than 17,000 SAP and Oracle ERP applications were found to be exposed on the internet, many running vulnerable versions and unprotected components, and threat actors are actively sharing information to take advantage of this opportunity.

The vast majority of large organizations have implemented ERP applications from vendors such as SAP and Oracle, relying on products like SAP Business Suite, SAP S/4HANA and Oracle E-Business Suite/Financials. They rely on these applications to support business processes such as payroll, treasury, inventory management, manufacturing, financial planning, sales, logistics, billing and hosting data such as financial results, manufacturing formulas, pricing, critical intellectual property, credit cards and personally identifiable information (PII) from employees, customers and suppliers, among other sensitive information.

Prior to this report, the ERP cybersecurity problem had remained largely ignored due to the lack of publicly-disclosed breaches and information about the threat actors in what was considered by many information security teams to be a complex and obscure domain.

“Threat actors are continually evolving their tactics and targets to profit at the expense of organizations. On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, we were surprised to find just how real and severe the problem is,” said Rick Holland, CISO and VP of Strategy at Digital Shadows.

“This collaboration with Digital Shadows provides a breadth and depth of threat intelligence that is unprecedented,” said Juan Pablo Perez-Etchegoyen, CTO at Onapsis. “By showing how these applications are being actively targeted by a variety of threat actors across different geographies and industries, we hope to overcome the misconceptions in the industry and help CIOs, CISOs and their organizations head off and manage the risk of wide-scale attacks on ERP applications, which could have a devastating impact, as well as macroeconomic implications.”