The U.S. Department of Homeland Security has warned businesses of the growing risk of attackers targeting enterprise resource planning (ERP) systems.
An alert posted by the United States Computer Emergency Readiness Team (US-CERT) warned that attackers are seeking to exploit vulnerabilities in ERP systems to access sensitive information.
ERP systems make an appealing target for hackers, as they run business-critical processes and house sensitive corporate information, which can be used for cyber espionage, sabotage, and fraud.
In some cases, systems are left exposed, with thousands of ERP applications directly connected to the internet, providing a tempting—and lucrative—target for attackers.
The US-CERT alert follows the release of a joint report by security firms Digital Shadows and Onapsis into the threats hackers pose to ERP systems.
While companies like SAP and Oracle issue patches for their ERP products, customers can struggle to apply them due to complex system architectures, customized functionality, or even lack of knowledge about the patching process. These difficulties can then be exploited by attackers.
ERP systems can be more vulnerable to attack if the applications they support are connected to the internet. Researchers identified more than 17,000 SAP and Oracle ERP applications connected to the internet, many of which belonged to large commercial and government organizations in the U.S., U.K., and Germany.
Many of these exposed applications are vulnerable to attack and information about those at risk is shared on the dark web and in criminal forums. According to the report, there’s been a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.
One way that attackers are exploiting vulnerabilities in ERP infrastructure is by using them to infect corporate networks with malware.
The latest incarnation of a common banking trojan malware Dridex has the ability to target SAP systems. Once installed on a system, this version of Dridex seeks out users of SAP software and harvests their credentials, along with sensitive business data.
But it isn’t just criminals targeting these systems—the report warns that nation-state sponsored attackers are targeting ERP applications for cyber espionage and sabotage.
Perhaps the most infamous example of this is the breach at the United States Information Service (USIS), which at the time was the biggest commercial provider of background information to the U.S. federal government.
The attack, later found to be the work of state-sponsored Chinese hackers, began with an exploited SAP vulnerability and resulted in the exposure of thousands of sensitive records.
The Digital Shadows report warns that nation-state attackers continue to use ERP vulnerabilities as backdoors into systems.