Hackers turning attention to leading ERP systems

By:  Mark Sutton

ERP systems are increasingly becoming a target for hackers, according to security researchers.

A report from Digital Shadows and security solution developer Onapsis has detailed the growing risk to ERP systems from hackers looking for financial gain or to cause business disruption.

Business applications such as ERP have not traditionally been a major target for hackers, but the research shows a build-up of interest in exploits and vulnerabilities related to ERP from the hacking community, indicating that hackers are moving up the stack into the application layer.

The report authors warn that this increased focus, coupled with weak security around ERP, in part because of the small number of previous attacks, mean that many corporations could be leaving their most important systems open to attack.

“The implications of this research go beyond the risk to individual companies. Based on the observed threat actors, the pervasive nature of these applications in the world’s largest organizations and the dependence on them for the execution of business-critical processes, wide-scale attacks on ERP applications could also have macroeconomic implications,” the report notes.

The research ‘ERP Applications Under Fire: How cyber attackers target the crown jewels’ looks primarily at SAP and Oracle E-Business Suite, based on research and threat intelligence captured across the open, deep and dark web, as well as Onapsis’ ERP incident response and forensics engagements.

There have been several publicized attacks against ERP systems, the report notes, including a May 2016 warning from the US Department of Homeland Security (DHS) CERT r that at least 36 global organizations were being exploited through the abuse of a specific, five-year-old SAP vulnerability.

Onapsis and Digital Shadows say that the mission-critical nature of ERP systems make them targets for different groups – financially motivated hackers are looking to steal sensitive data from ERP systems, while political hacktivists are seeking to disrupt systems, particularly using denial of service attacks. Such DoS attacks against ERP have already been launched by ‘Anon’ related groups several times. Meanwhile, nation state actors may be looking at both espionage and disruption.

The report noted that there is a lack of ERP security consciousness across several of the world’s leading organizations, at the same time as increasing uptake of ERP in the cloud and on mobile devices have increased the potential attack surfaces.

Typical failings on ERP security include poor password hygiene, sharing of data such as login credentials and configuration files on public forums and data repositories, and ERP applications left open to the Internet. Over 3,000 unprotected internet-facing ERP services were discovered in the US, and the UAE ranked as third worldwide for the number of Oracle eBusiness Suite deployments that are left open to the public internet

The report noted a big increase in hacking intelligence targeting ERP systems. Researchers found a large amount of hacker interest and information exchange particularly related to SAP and SAP HANA systems.

Hackers are currently focused on using known vulnerabilities to attack systems, and researchers identified 50 exploits for SAP products and 30 for the Oracle EBS technology stack that were commonly available online. While the number of publically available exploits is still small, the numbers mark a threefold increase in Oracle exploits and fivefold increase for SAP in the past ten years.

Hacker intelligence is also shifting into practical execution – in March 2017, a request on a dark web site ‘Hidden Answers’ on the best way to exploit SAP got responses including video tutorials and penetration testing tools. Researchers have also seen malware developed to work behind the firewall targeting ERP, and banking Trojans that have been adapted to steal ERP logins.

Attacks have apparently become proficient enough at targeting ERP systems that they have expanded beyond stealing data, with crypto-mining/ crypto-jacking attacks seen against compromised SAP servers.

“Traditional controls of ERP application security such as user identity management and segregation of duties are ineffective to prevent or detect the observed TTPs used by attackers. While some executives still consider ‘behind-the-firewall’ ERP implementations to be protected, we have observed clear indicators of malicious activity targeting environments without direct internet connectivity. Further, there is an astonishing number of insecure ERP applications directly accessible online, both on-premise and in public cloud environments, increasing the attack surface and exposure,” the report notes.

Onapsis and Digital Shadows say that it is important for organizations to improve the cybersecurity posture of their ERP applications, whether deployed on-premise or in public, private or hybrid cloud environments.

The report recommends a number of measures, including identification and mitigation of ERP application layer vulnerabilities, insecure configurations and excessive user privileges; and identification and removal of dangerous interfaces and APIs between the different ERP applications in the organization, especially those with third parties and that are internet-facing.

Organizations should also monitor and respond to sensitive ERP user activity and ERP-specific indicators of compromise, and monitor for leaked ERP data and user credentials.