Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
7/26/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

DHS Warns of Increasing Attacks on ERP Systems

Following reports by Digital Shadows and Onapsis, the US Department of Homeland Security has issued a warning to businesses that nation-states and other groups are targeting Enterprise Resource Planning systems.

The US Department of Homeland Security has issued a warning to businesses that their Enterprise Resource Planning (ERP) systems are being increasingly targeted for attack, whether it's espionage, sabotage or financial fraud crimes.

It's also not one group that is behind these increases in ERP attacks. DHS is warning that nation-states, "hacktivist" groups and cybercriminals are all increasingly targeting these enterprise systems.

The DHS warning, which was issued July 25 through the US Computer Emergency Readiness Team (US-CERT), follows two reports by Digital Shadows and Onapsis that outlined these increasing threats to ERP software.

Over the past several years, enterprises large and small have been investing more in ERP, with Oracle and SAP as leading providers of this type of software. Microsoft is also a major player. What makes these systems a tempting target is the amount of data about companies they contain, including information related to supply chains, logistics, lifecycle management, human resources, marketing and, most importantly, financial details, results and billing information.

(Source: Flickr)
(Source: Flickr)

In addition, more ERP software is cloud-based, meaning data is moving from on-premises data centers to cloud service providers.

The Onapsis report notes:

Despite the relevance of these business-critical platforms to the operation of businesses and modern economies, the information security community has suffered from a lack of information regarding the tactics, techniques and procedures (TTPs) used by threat actors when targeting these systems for cyber espionage, sabotage and financial fraud attacks.

Security research found at least seven different hacktivist groups, including some associated with the Anonymous collective, targeting SAP and Oracle ERP applications. Additionally, several botnets based on the Dridex banking Trojan have been updated between last year and this year to specifically target SAP systems in order to steal credentials and access the internal infrastructure of different companies. (See BackSwap Banking Trojan Shows How Malware Evolves.)

Nation-states and groups associated with specific countries are also increasingly targeting ERP applications in order to steal data or carry out cyber espionage.

Specifically, the researchers note that on the Dark Web and other forums, attackers are increasingly looking for and trading exploits that target SAP's HANA in-line memory database. Overall, the report found about 4,000 patches for security vulnerabilities in SAP's offerings, and more than 5,000 security patches for Oracle.

Different groups have been trying to exploit ERP systems since at least 2012, but the first major breakthrough happened in 2014, when cyber attackers based in China exploited a SAP flaw to steal data from the US Information Service (USIS), which provides background investigations to the federal government, according to the report.

Now, these types of attacks are becoming more routine, with attackers not only stealing data, but also installing software to mine cryptocurrencies, according to the report.


Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

For years, enterprises believed that since these systems were within the network and behind a firewall, the applications were safe. However, increased use of cloud-based software is giving attackers new areas to exploit.

"While some executives still consider 'behind-the-firewall' ERP implementations to be protected, we have observed clear indicators of malicious activity targeting environments without direct internet connectivity," the report concludes. "Further, there is an astonishing number of insecure ERP applications directly accessible online, both on-premise and in public cloud environments, increasing the attack surface and exposure."

Joseph Kucic, the chief security officer at Cavirin, which provides security tools for hybrid cloud environments, notes that many ERP applications started off as only on-premises software. Over time, these applications gained cloud components as vendors grew their offerings through acquisition, and customers changed the way they bought software.

"As cyber hackers are becoming more sophisticated and focusing on higher value targets, these legacy ERP providers mentioned in the report are great targets as they originally started as internal only applications then later on acquired additional bolt-on components," Kucic wrote in an email to Security Now on Wednesday.

"Most ERP application security controls (and both internal and external audits) were focused on configuration controls and did not focus on vulnerabilities given their original internal only usage," Kucic added. "Since these firms are growing by bolt-on acquisition strategic components (example SAP acquisition of Concur) there are extensive publicly exposed elements and those vendors lacked the focus that Cloud Born Application Security and Vulnerability have (i.e. Salesforce, ServiceNow, Workday, etc.) had in place since day one."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.