Homeland Security warns businesses of Oracle and SAP ERP vulnerabilities

Oracle sailing boats

Homeland Security has taken the step of issuing an alert to businesses using Oracle and SAP's ERP applications, warning that the software is at risk from hackers.

Firms in the UK, US and Germany are most at risk from the threat, said security firms Digital Shadows and Onapsis, both of which warned that state-sponsored actors and hacktivist groups are actively targeting the ERP applications to disrupt critical business operations and steal personal credentials.

The research focused exclusively on vulnerabilities found in systems developed by Oracle and SAP, the two largest ERP vendors collectively used by the vast majority of large businesses.

More than 200 SAP exploits and 2,500 Oracle exploits dating back over a decade are detailed in the 'ERP Applications Under Fire' report. One example the rearchers highlighted was the use of several botnets of the Dridex malware, set up over 2017 and 2018, to allow cyber criminals to steal valid SAP user credentials and access companies' internal IT environments.

Oracle said it patched the listed vulnerabilities in July and October 2017, and both firms advised customers to apply updates to their systems as soon as possible.

"While some executives still consider 'behind-the-firewall' ERP implementations to be protected, we have observed clear indicators of malicious activity targeting environments without direct internet connectivity," the report read.

"Further, there is an astonishing number of insecure ERP applications directly accessible online, both on-premise and in public cloud environments, increasing the attack surface and exposure."

Publicly-available exploits have also risen alongside a growing interest in historical vulnerabilities that can still be exploited today. The researchers identified criminal forums, dark web marketplaces and dedicated exploit sites as a handful of locations on which exploits are traded - with Twitter one of the main sites where exploits are mentioned.

The findings have led the US Computer Emergency Readiness Team (US-CERT) to issue an official warning - urging businesses to review the report and take measures to protect themselves against these vulnerabilities.

"The Critical Patch Update is the primary mechanism for the release of all security bug fixes for Oracle products," an Oracle spokesperson told IT Pro. "Oracle is focused on security and continues to investigate means to make applying security patches as easy as possible for customers. Oracle recommends that customers remain on actively-supported versions and apply security updates as quickly as possible."

An SAP spokesperson added: "As the global leader in business software, we take security seriously and implement best practices in our security processes that include development, operations, tools and employee training. Confidentiality, integrity, availability and data privacy are core values for SAP.

"Our recommendation to all of our customers is to implement SAP security patches as soon as they are available - typically on the second Tuesday of every month to protect SAP infrastructure from attacks."

Although US businesses are most vulnerable - with 77% of Oracle's E-Business Suite (EBS) users and 17% of SAP users based there, according to the report - the UK is the most exposed nation in Europe for internet-facing EBS applications, while Germany has the most internet-facing SAP applications.

A spokesperson for the UK's National Cyber Security Centre (NCSC) told IT Pro it would not be issuing guidance at this time as the report highlights a trending vulnerability, as opposed to a specific vulnerability, and that the US-CERT guidance covers the issue adequately.

The spokesperson added: "The NCSC advises that all businesses protect their systems from threats by installing updates and patches as soon as they become available, to ensure that you are protected as soon as the vendor releases updates regardless of the specific vulnerability.

"We also recommend that you follow vendor guidance on securing ERP systems in particular."

A timeline of incidents within the report also illustrated the rise in hacktivists and cyber criminals exploiting ERP vulnerabilities - spanning Sudoh@ck3rs' targeting of an internet-facing SAP portal in 2013, to cyber criminals exploiting WebLogic to use Peoplesoft to mine cryptocurrency.

In the wake of its findings, the report recommended that all businesses take steps to mitigate the risk of being targeted, saying: "ERP applications are clearly a target for cyber attackers and it is no longer an option to rely solely on identity management and segregation of duties controls, as they are ineffective to prevent or detect these evolved risks."

These measures include identifying ERP application layer vulnerabilities, monitoring for leaked ERP data and user credentials, as well as identifying and removing any dangerous interfaces and APIs between the different ERP applications in an organisation.

Picture: Bigstock

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.