The US Department of Homeland Security (DHS) has flagged a new report highlighting an increase in attacks on critical ERP apps by state-sponsored hackers, cyber-criminals and hacktivists.
The joint research by Digital Shadows and Onapsis revealed that hackers are increasingly targeting known vulnerabilities to steal highly sensitive data or disrupt business processes — exploiting known vulnerabilities, supply chain gaps and misconfiguration errors.
It claimed that there are now around 9000 known vulnerabilities in SAP and Oracle apps, which have seen a 100% increase in the number of publicly-available exploits over the past three years.
The report also calculated a 160% increase in activity related to ERP-specific vulnerabilities from 2016 to 2017.
It’s not just traditional state-sponsored actors targeting these apps for espionage or disruption, or cyber-criminals looking to make money — the report claimed hacktivist group Anonymous has carried out nine operations since 2013.
Some of the attacks observed include use of popular malware like banking trojan Dridex to grab user credentials.
In some cases, the supply chain is making the job of the attackers even easier: the researchers found 545 SAP configuration files publicly exposed on misconfigured FTP and SMB, offering valuable information on the location of sensitive files in targeted organizations.
Companies are also guilty of basic security mistakes which could play into the hands of attackers: the report claimed to have found over 17,000 SAP and Oracle ERP apps exposed on the internet — many not up-to-date with patches.
The dark web provides threat actors with a wealth of information on where the key weaknesses to exploit lie, according to Digital Shadows.
“Threat actors are continually evolving their tactics and targets to profit at the expense of organizations. On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, we were surprised to find just how real and severe the problem is,” said Digital Shadows CISO, Rick Holland.