Oracle and SAP urge customers to apply patches to secure systems against hackers
Homeland Security has taken the step of issuing an alert to businesses using Oracle and SAP’s ERP applications, warning that the software is at risk from hackers.
Firms in the UK, US and Germany are most at risk from the threat, said security firms Digital Shadows and Onapsis, both of which warned that state-sponsored actors and hacktivist groups are actively targeting the ERP applications to disrupt critical business operations and steal personal credentials.
The research focused exclusively on vulnerabilities found in systems developed by Oracle and SAP, the two largest ERP vendors collectively used by the vast majority of large businesses.
More than 200 SAP exploits and 2,500 Oracle exploits dating back over a decade are detailed in the ‘ERP Applications Under Fire‘ report. One example the rearchers highlighted was the use of several botnets of the Dridex malware, set up over 2017 and 2018, to allow cyber criminals to steal valid SAP user credentials and access companies’ internal IT environments.
Oracle said it patched the listed vulnerabilities in July and October 2017, and both firms advised customers to apply updates to their systems as soon as possible.
“While some executives still consider ‘behind-the-firewall’ ERP implementations to be protected, we have observed clear indicators of malicious activity targeting environments without direct internet connectivity,” the report read.
“Further, there is an astonishing number of insecure ERP applications directly accessible online, both on-premise and in public cloud environments, increasing the attack surface and exposure.”
Publicly-available exploits have also risen alongside a growing interest in historical vulnerabilities that can still be exploited today. The researchers identified criminal forums, dark web marketplaces and dedicated exploit sites as a handful of locations on which exploits are traded – with Twitter one of the main sites where exploits are mentioned.
The findings have led the US Computer Emergency Readiness Team (US-CERT) to issue an official warning – urging businesses to review the report and take measures to protect themselves against these vulnerabilities.
“The Critical Patch Update is the primary mechanism for the release of all security bug fixes for Oracle products,” an Oracle spokesperson told IT Pro. “Oracle is focused on security and continues to investigate means to make applying security patches as easy as possible for customers. Oracle recommends that customers remain on actively-supported versions and apply security updates as quickly as possible.”