ERP Applications Under Fire:
How cyberattackers target the crown jewels
Recent research from Onapsis and Digital Shadows provides evidence of how cybercriminals target and exploit SAP and Oracle ERP applications.
Download the latest research from Onapsis and digital risk management firm, Digital Shadows, detailing how cyberattackers are actively targeting companies’ ERP systems, specifically SAP and Oracle. These systems hold the crown jewels organizations need to successfully operate.
The research report includes what cyberattackers are doing to gain information about exploits for these business-critical applications and what steps organizations can do to protect themselves.
Digital Shadows and Onapsis hosted a webcast on August 29th to review the research and give attendees the chance to speak directly with the writers of the report with a live Q&A.
Access the DHS US-CERT Alert
The U.S. Department of Homeland Security (DHS) has issued an alert regarding the research in this report.
Q1: What is the nature of this threat report? Why are you publishing this?
The Onapsis Research Labs has extensive knowledge and expertise around ERP threats and vulnerabilities, working hand in hand with SAP and Oracle to remediate the vulnerabilities that are continuously being reported by Onapsis. In this instance, we combined our knowledge with the experience and technology provided by Digital Shadows, in order to get more visibility and understanding around how the threats to ERP Applications are evolving. We are publishing this report together with Digital Shadows to warn organizations and raise awareness around the risks and threats of not properly taking care of the security of ERP applications.
Q2: How can I check to see if my SAP and Oracle systems are internet facing?
Organizations can use publicly-available search engines to validate if they have internet-facing ERP applications. Shodan and Censys are two of the most well-known ones. These search engines will provide valuable information, however it is important to have a clear and up-to-date inventory of ERP applications, specifically documenting which ones could be exposed to external users (such as vendors and/or customers) as well as external networks, such as the internet.
Q3: Are there new vulnerabilities being discussed in the report?
The report focuses on known vulnerabilities, using known CVEs for searching and identifying threats affecting SAP and Oracle E-Business Suite (EBS) applications over diverse sources. ERP customers continue to struggle to keep up with patches and the security of ERP applications, which means that attackers do not need to execute complex APT attacks to gain access. As seen in the identified campaigns, attackers are using well-known vulnerabilities leveraging the inability of customers to keep up with security.
Q4: What known vulnerabilities are highlighted in the report?
We were able to identify a diverse number of campaigns, leveraging different techniques and procedures. The vulnerabilities that were individually identified are the Invoker Servlet in SAP Applications (CVE-2010-5326), the SOAPRFC exploit through metasploit and the lack of password hygiene (default/weak usernames and passwords).
Despite those uniquely identified vulnerabilities, attackers could target one of thousands of ERP vulnerabilities, therefore making it crucial for organizations to not only focus on those three but instead should prioritize and address ERP vulnerabilities as they would any other existing production application.
Q5: What is the risk to my business?
The biggest risk for organizations is not knowing the risks. Organizations must ensure the right level of governance around cyber risks that could affect ERP applications, starting with a clear understanding of their internet-facing ERP applications and followed by visibility and proactive management of potential vulnerabilities and risks affecting ERP applications.
Q6: What does “threat actor” mean?
Threat actors are entities that are responsible for a campaign or an incident that impacts the security of an organization or its data. Throughout the development of this report, the team was exposed to evidence of diverse campaigns that targeted ERP applications. The campaigns were also segregated by threat actors, due to the differing motivations of each one.
Q7: I only have non-production ERP applications connected to the internet, am I secure?
Even though it may seem to be a reduced risk to expose production systems, it could actually lead to a higher risk situation, as non-production applications typically have less controls, fewer audits and lessened security than other production environments. This could lead these application to be more easily targeted and ultimately compromised over production systems by abusing the existing interfaces and connections.
Q8: My ERP applications are behind a firewall, so why should I worry?
There is a misconception among many ERP customers that having ERP applications behind the firewall will prevent external threats. Even if there are no internet-facing ERP components, which in most cases it is not true, there are many threats that affect and target ERP applications behind the firewall. The update to the Dridex malware configuration, covering the SAPlogon (SAPgui) process is yet another example of how an attacker could still compromise SAP credentials and data.
Q9: What ERP applications are affected?
The research project focused on SAP applications and Oracle EBS applications, due to the relevance of these applications for the biggest organizations in the world. We have found evidence of campaigns targeting them in the scope of this research, but the problem is more widespread. ERP applications host the most critical business information, therefore organizations must protect these applications as well as its data.
Q10: If I'm running my ERP application in the cloud, am I safe?
The cloud provides many advantages and efficiencies, and security can be one of them in very specific use cases. In many cases, it is actually the opposite, as ERP customers believe that by moving to the cloud they are secure therefore relaxing security controls and protections.
Moving your ERP applications to the cloud will not transfer accountability and your organization is still responsible for the data hosted and processed by those applications. ERP customers still need to address security in cloud environments, to ensure the data is safe.
Q11: What can my organization do to ensure we are protected against malware targeting ERP applications?
Most organizations implement some type of endpoint/malware protection. Diverse products will protect your endpoints in different ways, starting with traditional antivirus through to more advanced methods. Independently of the product your organization is using, you have to make sure it is kept up to date and that the computers running the clients used to connect to ERP applications (such as SAPlogon) are also protected with the same level of protection as the rest of the company endpoints.
Q12: Why did the Department of Homeland Security (DHS) issue an alert on these threats?
The DHS sent out an alert to notify large organizations about these threat due to the nature of the evidence identified. There is clear evidence of intent from threat actors to target ERP applications, so organizations must be aware of this and be able to prevent a breach by following the recommended protocols.
Q13: My ERP applications are audited on a periodic basis. Does this ensure I am secure?
Traditional audits do not typically look into the technical risks of ERP applications, such as exploitable vulnerabilities or unpatched CVEs. We anticipate external audit firms will extend their current controls (which are mostly related to Segregation of Duties) to address SAP cybersecurity risks in the near future. The status-quo is clearly not sustainable, as these risks can be exploited to modify financial information, steal sensitive data and disrupt business-critical processes. We highly recommend organizations evaluate their internal audit processes to ensure they are incorporating these newer types of controls to manage business risk appropriately and proactively.
Q14: How can Onapsis help?
If you have never analyzed the cybersecurity level of your ERP applications, the first logical step is to understand what your current situation is and to understand the potential business risks. We can assist by performing a complementary Business Risk Illustration service at your organization.
Additionally, implementing a solution that provides continuous monitoring will ensure that your ERP systems are always protected against known vulnerabilities. The Onapsis Security Platform delivers a near real-time preventative, detective and corrective approach for securing ERP systems and applications.