Homeland Security warns of spike in ERP system attacks
The U.S. Department of Homeland Security is warning organizations across healthcare and beyond of increased nation-state, criminal group and hacktivist activity against enterprise resource planning systems used to manage finances, human resources and other business activities.
The alert comes just two days after two investigative reports on the activity spike by security firms Onapsis and Digital Shadows.
ERPs are web-based applications designed to manage everyday business operations, which means the systems hold a trove of valuable information. According to the report, the increase in zero-day exploits and vulnerabilities are mostly surrounding Oracle and SAP products, the largest providers of cloud-based ERPs.
Detailed information on SAP hacking is being exchanged on the dark web on a major Russian-speaking forum, the report authors wrote. Others were discussing how to acquire SAP HANA-specific exploits.
"This goes in hand with an observed 100 percent increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160 percent increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017," the report found.
In fact, the researchers identified more than 17,000 internet-connected ERPs, which provide a pathway for dictionary or brute-force attacks. The hackers can use brute-force attacks to break into unsecured accounts.
According to researchers, most of these attacks used known vulnerabilities, such as self-hosted ERP applications without the most recent patches. Hackers also go after cloud-based ERPs without established, strong security measures.
What’s worse is that many of these applications face the internet, which is common for businesses working with third-party vendors. However, weak security measures put these ports at risk.
Also notable is that the cybercriminals often leverage username and password information that was leaked in other data breaches from other companies to hack into an employee’s ERP.
"Just as with any software, ERP applications may also be susceptible to vulnerabilities that must be patched by customers who are running and maintaining these applications," the report authors wrote. "More often, ERP customers struggle to apply security patches due to some of these unique characteristics."
"Additionally, ERP customers struggle to understand which are the most important and relevant vulnerabilities that they should care about and mitigate," they continued.
At the moment, the report found there are currently 4,000 security patches for vulnerabilities in SAP applications and more than 5,000 for Oracle. In fact, the researchers found about 50 exploits for SAP products and another 30 for Oracle that are being traded on the dark web.
While patching is difficult for the healthcare sector, better patch management is needed given the number of attacks leveraged through unpatched systems like the WannaCry and Petya attacks from 2017.
Patching is a strong method to protect this vulnerability, as is continuously assessing risks to the application. The report also found that solid passwords, insecure parameter detection and an implemented, repeatable process to close gaps will also shore up threats to ERPs.
Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com