In late July, the Department of Homeland Security issued a warning about a growing number of malicious cyberattacks aimed at ERP systems based on a research project conducted by Digital Shadows and Onapsis. This warning comes at the heels of the first-ever DHS CERT Alert focused on SAP Business Applications released in May of 2016. According to the report, hackers exploited old, unpatched vulnerabilities to successfully hack multiple organizations, including government agencies, energy businesses, and financial services companies. Onapsis and Digital Shadows found significant evidence of increased interest on ERP applications, including bad actors in criminal forums on the dark web asking for exploits specifically targeting ERP technology vulnerabilities. The study, “ERP Applications Under Fire: How Cyberattackers Target the Crown Jewels,” found that the attackers do not need to use advanced techniques to breach their targets because the current state of ERP application security across organizations is such that old vulnerabilities still affect these systems. This means that attackers don’t need to develop new zero-days or advanced exploitation techniques.
The study highlights a not-so-dirty little secret about security practices around ERP applications: because they are so complex and require such high availability, organizations often fail to patch critical ERP vulnerabilities, leaving them exposed for years. There are some 9,000 known vulnerabilities between SAP and Oracle ERP applications, according to the study. That truth recently caught on among a range of bad actors in the cyber underground. The study uncovered a growing interest in exploiting such weaknesses. Specifically, Onapsis and Digital Shadows found more than 20 attack campaigns that incorporated ERP applications as part of the targeted technology, and the study revealed a 100 percent increase in the number of publicly-available exploits for SAP and Oracle ERP applications over the last three years.
Unpatched ERP applications are only one part of the problem. The complexity of these systems can also lead to unavertable leakage of configuration data files that expose the applications to attackers. For example, the study found 545 SAP configuration files that were publicly exposed on misconfigured FTP and SMB servers. Such information allows attackers to find sensitive files on the organization’s network, once they find their way in and begin to move laterally inside the victim’s network.
At the same time, cloud and mobile computing and digital transformation initiatives are exacerbating the problem of unpatched vulnerabilities and unprotected components of these applications. The study revealed that about 17,000 Oracle and SAP ERP installations at 3,000 organizations are exposed to the Internet, with many of those having unpatched vulnerabilities.
What the study did not address, however, are the organizational issues that contribute to the problem. There is a gap between what ERP professionals view as security, and what traditional IT security practitioners define as good application security hygiene. In the SAP world, for example, an SAP security specialist is responsible for user and security administration. That highly-paid specialist is responsible for maintaining SAP authentication, authorization, and configurations for SAP security models within the SAP application. Nowhere in their job description is the responsibility of patching vulnerabilities or ensuring that configurations are secure. Since security is in their title, though, the CISO assumes that SAP security is covered, with SAP acting as a black box for the IT security team.
Earlier this year, Enterprise Management Associates published a case study about a large manufacturing company that learned to bridge that gap, thanks to one SAP security specialist who understood the risks and championed a solution. Titled “SAP Security: How One Company Broke Down IT Silos to Make Accountability Job 1,” it demonstrates how organizations can begin to address the vulnerability issues now coming to the fore.