Hackers and cybercriminals are increasingly targeting enterprise resource planning (ERP) software, with SAP and Oracle solutions at particular risk, according to a report from Digital Shadows and Onapsis.
For those unfamiliar, ERP software uses a central shared database to automate and manage several core back office functions. So, why are they being targeted? As the report notes, “these systems hold the crown jewels organizations need to successfully operate.”
The report doesn’t unveil any new vulnerabilities. Rather, it focuses on known flaws and exploits the fact that many legacy businesses are falling behind in patching and updating their software. These attacks are “leveraging the inability of customers to keep up with security,” the report said.
SEE: Information security policy (Tech Pro Research)
In fact, the number of available public exploits for ERP software from SAP HANA and Oracle has roughly doubled in the last three years, the report noted. This likely coincides with the rising demand for stolen credentials, which a hacked ERP system could provide.
One of the other major problems is that, even when ERP systems are being protected, it’s often not enough. “Traditional controls of ERP application security such as user identity management and segregation of duties are ineffective to prevent or detect the observed TTPs used by attackers,” the report said.
The US Department of Homeland Security (DHS) has endorsed the report, releasing its own report warning of how sensitive data could be stolen from such ERP systems.
According to the report, there are thousands of vulnerabilities affecting systems from both companies dating back many years. However, the report page noted that Onapsis is working with SAP and Oracle to remediate the vulnerabilities as they come up.
For more information on the report, including an FAQ on the findings, click here.
The big takeaways for tech leaders:
- Hackers are increasingly targeting ERP systems for the sensitive data it holds, especially going after Oracle and SAP. — Digital Shadows/Onapsis, 2018
- Most threats against ERP systems like SAP and Oracle are older known threats that simply haven’t been patched. — Digital Shadows/Onapsis, 2018