Sitemap | Terms of Use | Privacy Policy
Quality Policy | Disclosure Policy
©2024 Onapsis | All rights reserved
- Platform
- Company
- Resources
- Threat Research
- Solutions
- Solutions
- By Initiative
- By Industry
- Solutions
Download the latest research from Onapsis and digital risk management firm, Digital Shadows, detailing how cyberattackers are actively targeting companies’ ERP systems, specifically SAP and Oracle. These systems hold the crown jewels organizations need to successfully operate.
The research report includes what cyberattackers are doing to gain information about exploits for these business-critical applications and what steps organizations can do to protect themselves.
Digital Shadows and Onapsis hosted a webcast on August 29th to review the research and give attendees the chance to speak directly with the writers of the report with a live Q&A.
The U.S. Department of Homeland Security (DHS) has issued an alert regarding the research in this report.
The Onapsis Research Labs has extensive knowledge and expertise around ERP threats and vulnerabilities, working hand in hand with SAP and Oracle to remediate the vulnerabilities that are continuously being reported by Onapsis. In this instance, we combined our knowledge with the experience and technology provided by Digital Shadows, in order to get more visibility and understanding around how the threats to ERP Applications are evolving. We are publishing this report together with Digital Shadows to warn organizations and raise awareness around the risks and threats of not properly taking care of the security of ERP applications.
Organizations can use publicly-available search engines to validate if they have internet-facing ERP applications. Shodan and Censys are two of the most well-known ones. These search engines will provide valuable information, however it is important to have a clear and up-to-date inventory of ERP applications, specifically documenting which ones could be exposed to external users (such as vendors and/or customers) as well as external networks, such as the internet.
The report focuses on known vulnerabilities, using known CVEs for searching and identifying threats affecting SAP and Oracle E-Business Suite (EBS) applications over diverse sources. ERP customers continue to struggle to keep up with patches and the security of ERP applications, which means that attackers do not need to execute complex APT attacks to gain access. As seen in the identified campaigns, attackers are using well-known vulnerabilities leveraging the inability of customers to keep up with security.
We were able to identify a diverse number of campaigns, leveraging different techniques and procedures. The vulnerabilities that were individually identified are the Invoker Servlet in SAP Applications (CVE-2010-5326), the SOAPRFC exploit through metasploit and the lack of password hygiene (default/weak usernames and passwords).
Despite those uniquely identified vulnerabilities, attackers could target one of thousands of ERP vulnerabilities, therefore making it crucial for organizations to not only focus on those three but instead should prioritize and address ERP vulnerabilities as they would any other existing production application.
The biggest risk for organizations is not knowing the risks. Organizations must ensure the right level of governance around cyber risks that could affect ERP applications, starting with a clear understanding of their internet-facing ERP applications and followed by visibility and proactive management of potential vulnerabilities and risks affecting ERP applications.
Threat actors are entities that are responsible for a campaign or an incident that impacts the security of an organization or its data. Throughout the development of this report, the team was exposed to evidence of diverse campaigns that targeted ERP applications. The campaigns were also segregated by threat actors, due to the differing motivations of each one.
Even though it may seem to be a reduced risk to expose production systems, it could actually lead to a higher risk situation, as non-production applications typically have less controls, fewer audits and lessened security than other production environments. This could lead these application to be more easily targeted and ultimately compromised over production systems by abusing the existing interfaces and connections.
There is a misconception among many ERP customers that having ERP applications behind the firewall will prevent external threats. Even if there are no internet-facing ERP components, which in most cases it is not true, there are many threats that affect and target ERP applications behind the firewall. The update to the Dridex malware configuration, covering the SAPlogon (SAPgui) process is yet another example of how an attacker could still compromise SAP credentials and data.
The research project focused on SAP applications and Oracle EBS applications, due to the relevance of these applications for the biggest organizations in the world. We have found evidence of campaigns targeting them in the scope of this research, but the problem is more widespread. ERP applications host the most critical business information, therefore organizations must protect these applications as well as its data.
The cloud provides many advantages and efficiencies, and security can be one of them in very specific use cases. In many cases, it is actually the opposite, as ERP customers believe that by moving to the cloud they are secure therefore relaxing security controls and protections.
Moving your ERP applications to the cloud will not transfer accountability and your organization is still responsible for the data hosted and processed by those applications. ERP customers still need to address security in cloud environments, to ensure the data is safe.
Most organizations implement some type of endpoint/malware protection. Diverse products will protect your endpoints in different ways, starting with traditional antivirus through to more advanced methods. Independently of the product your organization is using, you have to make sure it is kept up to date and that the computers running the clients used to connect to ERP applications (such as SAPlogon) are also protected with the same level of protection as the rest of the company endpoints.
The DHS sent out an alert to notify large organizations about these threat due to the nature of the evidence identified. There is clear evidence of intent from threat actors to target ERP applications, so organizations must be aware of this and be able to prevent a breach by following the recommended protocols.
Traditional audits do not typically look into the technical risks of ERP applications, such as exploitable vulnerabilities or unpatched CVEs. We anticipate external audit firms will extend their current controls (which are mostly related to Segregation of Duties) to address SAP cybersecurity risks in the near future. The status-quo is clearly not sustainable, as these risks can be exploited to modify financial information, steal sensitive data and disrupt business-critical processes. We highly recommend organizations evaluate their internal audit processes to ensure they are incorporating these newer types of controls to manage business risk appropriately and proactively.
If you have never analyzed the cybersecurity level of your ERP applications, the first logical step is to understand what your current situation is and to understand the potential business risks. We can assist by performing a complementary Business Risk Illustration service at your organization.
Additionally, implementing a solution that provides continuous monitoring will ensure that your ERP systems are always protected against known vulnerabilities. The Onapsis Security Platform delivers a near real-time preventative, detective and corrective approach for securing ERP systems and applications.
Let us show you how simple it can be to protect your business applications.