The US Department of Homeland Security has warned businesses of the growing risk of attackers targeting enterprise resource planning (ERP) systems.
ERP systems make an appealing target for hackers, as they run business-critical processes and house sensitive corporate information, which can be used for cyber espionage, sabotage, and fraud.
In some cases, systems are left exposed, with thousands of ERP applications directly connected to the internet, providing a tempting — and lucrative — target for attackers.
The US-CERT alert follows the release of a joint report by security firms Digital Shadows and Onapsis into the threats hackers pose to ERP systems.
While companies like SAP and Oracle issue patches for their ERP products, customers can struggle to apply them due to complex system architectures, customised functionality, or even lack of knowledge about the patching process. These difficulties can then be exploited by attackers.
“You’ve got the real holy grail, which is the remote code execution exploits, then if that’s combined with an internet-facing application, that’s really sought after,” Mike Marriott, security analyst at Digital Shadows, told ZDNet.
ERP systems can be more vulnerable to attack if the applications they support are connected to the internet. Researchers identified more than 17,000 SAP and Oracle ERP applications connected to the internet, many of which belonged to large commercial and government organisations in the US, UK, and Germany.
“There are lots of internet-facing SAP and Oracle applications that are quite easy to find through Google Dorks, then lots of exploitable vulnerabilities available online with remote code execution,” said Marriott.
Many of these exposed applications are vulnerable to attack and information about those at risk is shared on the dark web and in criminal forums. According to the report, there’s been a 160 percent increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.
One way that attackers are exploiting vulnerabilities in ERP infrastructure is by using them to infect corporate networks with malware.
The latest incarnation of a common banking trojan malware Dridex has the ability to target SAP systems. Once installed on a system, this version of Dridex seeks out users of SAP software and harvests their credentials, along with sensitive business data.
But it isn’t just criminals targeting these systems — the report warns that nation-state sponsored attackers are targeting ERP applications for cyber espionage and sabotage.
Perhaps the most infamous example of this is the breach at the United States Information Service (USIS), which at the time was the biggest commercial provider of background information to the US federal government.
The attack, later found to be the work of state-sponsored Chinese hackers, began with an exploited SAP vulnerability and resulted in the exposure of thousands of sensitive records.
The Digital Shadows report warns that nation-state attackers continue to use ERP vulnerabilities as backdoors into systems.
“These attacks are under-reported and that can lead people to have to take the security of these applications less seriously than they should,” said Marriott.
“People have to face up to how these applications hold really sensitive information, there a lot of vulnerabilities, a lot of them are still internet facing and criminals are making use of this. So make sure you’re patching regularly and not using default passwords.”