The economy-running, business-critical ERP applications — where SAP customers store their “crown jewels” — have a massive attack surface that can be abused to compromise a target organization, steal proprietary information, shut down systems, affect revenue, and damage reputations. While cyber attackers have been targeting ERP applications for years, the attacks are becoming more common and complex, pushing this topic to the forefront of many boardroom conversations.
Attacks Are Becoming More Sophisticated and Frequent
A recent report (released by Onapsis and Digital Shadowson July 25, 2018) highlights how different types of internal and external cyber attackers are directly targeting ERP applications. This report covers the evolving sophistication and growing frequency of these attacks, and it provides examples of more than 20 campaigns incorporating ERP applications as a key attack vector. Findings show that attackers are incorporating several angles:
- Non-advanced persistent threats: In the ERP world, organizations historically were not able to properly implement security and threat detection capabilities, meaning that vulnerabilities that were applicable three, five, or even 10 years ago are still exposed. What’s worse, attackers are beginning to understand that.
- Catching up with the technology gap: ERP applications are not only complex on their own, but they are built on top of a diverse set of components (mostly closed source and proprietary) that talk to each other. Compromising an ERP application requires a very specific skill set, but attackers are catching up. Guides for hacking or exploiting SAP applications can be found on cyber-criminal and underground forums.
- A window of exposure for patching: It sometimes takes organizations months and even years to apply security patches, leaving these systems exposed longer. During the infamous Equifax breach, attackers quickly abused a vulnerability after Apache released the patch.
- Abusing business processes: ERP applications are the foundation of most business processes. Sensitive finance, human resources, supply, and customer data is at risk of being exploited. An example is an attacker who changes bank account information of vendors and employees and receives considerable payments that go undetected.
Internet-Facing and Internal Applications Are at Risk
As part of the report, a discovery of internet-facing ERP components was performed that identified more than 17,000 components. Not only is that sheer number eye-opening, but there are other remarkable findings, such as:
- Thousands of non-productive systems: There should be no reason to expose non-productive environments to the Internet. These environments are typically less protected and are in some way connected to productive applications, rendering them insecure.
- Insecurely exposed applications: Well over 10,000 ERP components were detected as internet-facing and unnecessarily open, considerably increasing the attack surface.
- Old and no longer maintained components: A number of applications were detected as old versions that could be exposed to vulnerabilities.
Be Attentive and Cautious
Threat actors are targeting ERP applications, and organizations should stay vigilant to prevent a breach to their business-critical data and processes. Furthermore, if your organization is running ERP applications in the cloud, or is undergoing a cloud migration project, the Cloud Security Alliance (CSA) ERP Security Working Group provides documents to help address various challenges.