The US Government’s US Computer Emergency Readiness Team (US-CERT) has flagged a report that warns of an uptick in exploitation of bugs in the "crown jewels” of organizations more commonly known as enterprise resource planning (ERP) systems.
The short alert warns of “malicious cyber activity targeting ERP applications” and encourages admins to review a joint report from SAP bug hunter, Onapsis, and Digital Shadows. The companies note that hundreds of thousands of organizations across the globe have implemented an ERP system from either SAP and Oracle, which dominate the ERP market.
In 2016, US-CERT, a unit of the Department of Homeland Security, warned that 36 organizations were affected by an SAP flaw discovered by Onapsis whose researchers found signs that the vulnerability was being exploited to target SAP-using businesses, 13 of which had annual revenues of over $10 billion.
The businesses were located in the US, UK, Germany, China, India, Japan, and South Korea across a range of industries, including oil and gas, telecommunications, utilities, retail, automotive, life sciences, consumer products, chemicals, high tech, engineering, construction and more.
The vulnerability concerned a component called the Ivoker Servlet used in business applications on SAP Java platforms, which affected multiple SAP products including its ERP systems, CRM, Supply Chain Management, Business Intelligence, and multiple NetWeaver products.
These products from SAP and Oracle typically support payroll, treasury, inventory management, manufacturing, financial planning, sales, logistics and billing. In other words, the applications host the crown jewels of an organization.
At the time, US CERT warned that hackers exploiting the Invoker Servlet vulnerability “gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems.”
It advised organizations to audit systems for missing patches and “dangerous system configurations” and encouraged admins to carry out a range of other cyber hygiene tasks for SAP systems in public, private, and hybrid cloud environments.
Troublingly, Onapsis warned that attacks between 2013 and 2016 were confirmed and in every case the attacker used a publicly-known SAP application vulnerability that SAP had released a patch for more than fives earlier. The company worked with DHS US-CERTin 2016 to warn companies about the risk of an attack.
As for Oracle, its quarterly mega “critical patch update” advisories always contain the warning that it “continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.”
Onapsis and Digital Shadows are now warning that ERP systems from SAP and Oracle are being attacked by hacktivist groups, cybercriminals, nation-state backed hackers, while seeing a dramatic rise in interest by hackers on Russian-language forums for exploits against SAP systems, including SAP HANA, and Oracle ERP applications.
The report notes that attacks mainly use known ERP vulnerabilities rather than previously undisclosed or zero-day exploits. The problem may stem from the fact that patching ERP systems is difficult due to customizations, proprietary protocols, specialized access controls, and the imperative for no unplanned downtime due to he criticality of the systems to business operations.
“These factors combine to make it difficult for ERP customers to stay up to date with security vulnerabilities, secure configurations and security patches. Unfortunately, this means that many organizations are implementing and running insecure ERP applications. Additionally, ERP customers struggle to understand which are the most important and relevant vulnerabilities that they should care about and mitigate,” the report notes.
So instead of patching rapidly, holes are left open because other business interests take priority. The companies note that there are more than 4,000 security patches for vulnerabilities in SAP applications and more than 5,000 for Oracle since the year 2000, which include 850 for Oracle’s E-Business Suite (EBS) of applications .
The researchers have also found more than 17,000 SAP and Oracle EP applications exposed on the internet, with the highest exposure in the US, Germany and the UK.
It appears that employees and suppliers are maliciously or accidentally exposing SAP configuration file repositories on the internet and exposing ERP login credentials on public forums.
ERP systems don’t gain the public exposure that flaws in browsers, operating systems, and open source libraries do, but nonetheless represent rich pickings for opportunistic hackers looking for a backdoor into resource rich companies that are exposed unintentionally by employees and supply partners simply attempting to share -- albeit in an insecure manner — information about how to access ERP systems used by multiple parties.
“We discovered over 500 SAP configuration files on insecure file repositories over the internet, as well as employees sharing ERP login credentials in public forums,” Onapsis and Digital Shadows note.
“These provide valuable information for attackers and greatly reduce their effort once they gain access to an organization’s network. With a large community of third-party contractors helping organizations to implement and maintain their ERP platforms, the risk from third parties increases,” they warn.
The companies also warn that standard ERP application security controls such as user identity management and segregation of duties are “ineffective to prevent or detect the observed TTPs [tactics, techniques and procedures] used by attackers”.
The findings blow a hole through the assumption by executives that ERP systems behind a firewall are protected and the same applies to companies that inadvertently expose systems on the internet that can be found through search engines such as Shodan.
“We have observed clear indicators of malicious activity targeting environments without direct internet connectivity. Further, there is an astonishing number of insecure ERP applications directly accessible online, both on-premise and in public cloud environments, increasing the attack surface and exposure.
Finally, due to the size of the companies affected, the researchers claim that the widespread use of ERP applications “could also have macroeconomic implications”.
The researchers scanned a range of sources for vulnerability and exploit data, including forums, dark web, and criminal sites, and found a “clear, growing trend in the interest around vulnerabilities affecting ERP applications, specifically for SAP and Oracle EBS technologies.”
Most of the SAP exploit information came from forum posts, but other major sources included Twitter, and coding sites, presumably meaning sites like GitHub.
Oracle exploit information predominantly was made available on web pages and Twitter.
Google search was also an important source of information about vulnerabilities by limiting queries using Google Dorks, where specific strings are used to search the internet for SAP and Oracle exploit information on Google.
Of note in the report, it says that banking trojans have started using attacks on SAP on Oracle systems to harvest banking credentials.
“It is common for the trojan to include configuration files that inform what URLs (normally bank logon URLs) to redirect to. However, given the sensitive financial information that ERP platforms hold, trojans have also targeted the logon information of SAP platforms.”
This technique was used by the notorious Carberp hang against SAP systems, but the newer Dridex banking trojan in 2017 started searching fo SAP logon credentials, signaling new attacks that targeted banks directly rather than consumers.